Endpoint Security - Check Point

Endpoint SecurityClient GuideVersion 7.0 GAJanuary 15, 2008

© 2008 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting theiruse, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or byany means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to changewithout notice.©2003-2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, CheckPoint Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, IntegrityClientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage,PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SecurityManagement Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenterUTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1,UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarmAntivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarmis a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registeredtrademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreignpatents, or pending applications.

ContentsAbout this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Chapter 1 Installation and setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Installing Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Launching Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Upgrading from a previous version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Updating Endpoint Security Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . 4Uninstalling Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Chapter 2 Endpoint Security basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Tour of the Endpoint Security Control Center . . . . . . . . . . . . . . . . . . . . . . . . 6Getting around the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Tab selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Show /Hide Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Help button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7System Tray icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Using the Status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Blocked intrusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Inbound Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Outbound Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8E-mail Protection area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Understanding Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Zones manage firewall security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9High security setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Medium security setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Zones provide program control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Responding to alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11New Program alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11New Network and VPN alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Compliance alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Setting product preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Setting your user-level password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Setting general product preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Setting general contact preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Chapter 3 Networking with Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring a new network connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Using the Network Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Disabling the Network Configuration Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17User Guide for Check Point Endpoint Security client 4

Connecting through a proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Integrating with network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Enabling file and printer sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Connecting to network mail servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Enabling Internet Connection Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring your VPN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Supported VPN protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring your VPN connection automatically . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring your VPN connection manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Adding a VPN gateway and other resources to the Trusted Zone. . . . . . . . . . . . . . . 21Removing a VPN gateway from a blocked range or subnet. . . . . . . . . . . . . . . . . . . 21Allowing VPN protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Granting access permission to VPN software . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Configuring Temporary Wi-Fi Network Access . . . . . . . . . . . . . . . . . . . . . . 23Chapter 4 Firewall protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Understanding Firewall protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Choosing security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Setting the security level for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Setting advanced security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Setting Gateway security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Setting ICS (Internet Connection Sharing) options . . . . . . . . . . . . . . . . . . . . . . . 29Setting General security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Setting Network security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Managing traffic sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Viewing the traffic source list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Modifying traffic sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Adding to the Trusted Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Adding to the Blocked Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Blocking and unblocking ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Default port permission settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Adding custom ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Chapter 5 Virtual private networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Endpoint Security VPN basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Obtaining Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Compact and extended versions of the VPN interface. . . . . . . . . . . . . . . . . . . . . . 41Configuring profiles and sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Managing connection profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Creating a new profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Exporting and importing profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Cloning profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Changing profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Creating a profile shortcut on your desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Viewing profile properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Deleting profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Managing VPN sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Defining a site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47User Guide for Check Point Endpoint Security client 5

Viewing site properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Changing authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Updating sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Disabling sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Deleting sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Managing Entrust certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Enabling Entrust Entelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Initiating Entrust certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Creating Entrust certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Creating Check Point certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Creating a Check Point certificate as a PKCS#12 file. . . . . . . . . . . . . . . . . . . 53Creating a Check Point certificate as a CAPI token . . . . . . . . . . . . . . . . . . . . 54Renewing Check Point certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Configuring connection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Auto-Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Secure Domain Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Auto Local Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Proxy Settings (Visitor Mode). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Advanced configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Managing your VPN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Connecting and disconnecting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Connecting through a hotspot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Suspending pop-up messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Enabling Office Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Enabling Hub Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Enabling Connectivity Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Viewing general status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Viewing activity statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Viewing connection details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Enabling logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Chapter 6 Program control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Understanding Program control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Program access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Program authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Setting general program control options . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Setting the program control level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Enabling the automatic lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configuring program access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Setting access permissions for new programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Customizing program control settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Setting permissions for specific programs . . . . . . . . . . . . . . . . . . . . . . . . . 74Using the programs list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Adding a program to the programs list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Granting a program permission to access the Internet . . . . . . . . . . . . . . . . . . . . . 76Granting a program permission to act as a server . . . . . . . . . . . . . . . . . . . . . . . . 77Granting pass-lock permission to a program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Granting send mail permission to a program . . . . . . . . . . . . . . . . . . . . . . . . . . . 78User Guide for Check Point Endpoint Security client 6

Advanced Program Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Disabling Outbound Mail protection for a program. . . . . . . . . . . . . . . . . . . . . . . . 78Setting Filter Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Setting authentication options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Allowing others to use programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Managing program components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Using your programs with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . 83Using Antivirus software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Using browser software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Netscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Using chat programs with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Using e-mail programs with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . 84Using Internet answering machine programs with Endpoint Security . . . . . . . . . . . 85Using file sharing programs with Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . 85Using FTP programs with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Using games with Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Program permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Security level/Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Using remote control programs with Endpoint Security . . . . . . . . . . . . . . . . . . . . 87Using VNC with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Using streaming media programs Endpoint Security . . . . . . . . . . . . . . . . . . . . . . 88Using Voice over Internet programs with Endpoint Security. . . . . . . . . . . . . . . . . . 88Using Web conferencing programs with Endpoint Security . . . . . . . . . . . . . . . . . . 88Chapter 7 Spyware and Virus protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Spyware and Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Turning on virus and spyware protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Scheduling a scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Updating virus and spyware definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Customizing virus protection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Specifying scan targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93On-Access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Enabling automatic virus treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Virus Scan Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Exceptions List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Customizing spyware protection options . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Enabling automatic spyware treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Specifying spyware detection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Excluding spyware from scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Preventing spyware attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Performing a virus scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Understanding virus scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102User Guide for Check Point Endpoint Security client 7

Treating virus files manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Repairing files in an archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Submitting viruses and spyware to Check Point for review . . . . . . . . . . . . . . . . . 103Viewing logged virus events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Performing a spyware scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Understanding spyware scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Security Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Errors in spyware scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Viewing items in quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Days in Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Days in Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Viewing logged spyware events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Viewing virus and spyware protection status. . . . . . . . . . . . . . . . . . . . . . . 111Chapter 8 E-mail protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Understanding e-mail protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Outbound MailSafe protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Enabling Outbound MailSafe protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Customizing Outbound MailSafe protection . . . . . . . . . . . . . . . . . . . . . . . 114Enabling Outbound MailSafe protection by program . . . . . . . . . . . . . . . . . . . . . 114Setting Outbound MailSafe protection options . . . . . . . . . . . . . . . . . . . . . . . . . 115Chapter 9 Privacy protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Understanding privacy protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Setting general privacy options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Setting privacy protection levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Applying privacy protection to programs other than browsers. . . . . . . . . . . . . . . . 118Using Privacy Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Setting privacy options for specific Web sites . . . . . . . . . . . . . . . . . . . . . 121Viewing the privacy site list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Adding sites to the privacy site list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Editing sites on the site list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Customizing cookie control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Blocking session cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Blocking persistent cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Blocking third-party cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Setting an expiration date for cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Customizing ad blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126User Guide for Check Point Endpoint Security client 8

Specifying which ads to block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Setting ad void control options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Customizing mobile code control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Specifying which types of mobile code to block . . . . . . . . . . . . . . . . . . . . . . . . 128Understanding Cache cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Using Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Customizing hard drive cleaning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Customizing browser cleaning options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Chapter 10 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Personal, enterprise, and disconnected security policies . . . . . . . . . . . . 135Understanding policy arbitration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Viewing available policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Using the Policies panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Policy Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Last Server Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Entry Detail Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Chapter 11 Alerts and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Understanding alerts and logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139About alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Informational alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Program alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139New Network alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139About event logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Setting basic alert and log options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Setting the alert event level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Setting event and program logging options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Showing or hiding specific alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Showing or hiding firewall alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Enabling system tray alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Setting event and program log options . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Formatting log appearance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Customizing event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Customizing program logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Viewing log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Log Viewer fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Viewing the text log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Text log fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Archiving log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Specifying the archive location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Using Alert Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Appendix A Alert reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Informational alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Firewall alert/Protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151User Guide for Check Point Endpoint Security client 9

Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151MailSafe alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Blocked Program alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Internet Lock alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Endpoint Security Policy Received alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154How you can see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Compliance alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Why these alerts appear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154How you can see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Connected/Disconnecting alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155How you can see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Program alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156New Program alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Repeat Program alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Changed Program alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Program Component alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Server Program alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Advanced Program alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Automatic VPN Configuration alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162User Guide for Check Point Endpoint Security client 10

How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Manual Action Required alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163New Network alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Why these alerts occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163What you should do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163How to see fewer of these alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Instant Messaging alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Appendix B Keyboard shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Navigation shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Global function shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Dialog box commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Button shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Appendix C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Configuring Endpoint Security for VPN traffic. . . . . . . . . . . . . . . . . . . . . . . . . . 173VPN auto-configuration and expert rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Automatic VPN detection delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Making your computer visible on your local network . . . . . . . . . . . . . . . . . . . . . 175Sharing files and printers across a local network. . . . . . . . . . . . . . . . . . . . . . . . 176Resolving a slow start up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Connecting to the Internet fails after installation . . . . . . . . . . . . . . . . . . . . . . . 177Allowing ISP Heartbeat messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Identifying the source of the heartbeat messages . . . . . . . . . . . . . . . . . . . . 178Configuring Endpoint Security to allow ping messages . . . . . . . . . . . . . . . . . 178Connecting through an ICS client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Connecting through a proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190User Guide for Check Point Endpoint Security client 11

TablesTable P-3:System Tray icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Table 3-1:Required VPN-related network resources . . . . . . . . . . . . . . . . . . . . . 21Table 4-1:Traffic source list fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Table 4-2:Default access permissions for incoming and outgoing traffic types . 35Table 6-2:Program permission symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Table 7-2:Icons indicating scan targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Table 7-3:Virus event log fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Table 7-4:Spyware event log fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Table 11-1:Log Viewer Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Table 11-2:Text log fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Table A-1:IM alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Table B-1:Navigation shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Table B-2:Global shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Table B-3:Dialog box shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Table B-4:Keystrokes for activating buttons . . . . . . . . . . . . . . . . . . . . . . . . . . 170Table C-1:Troubleshooting VPN problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Table C-2:Troubleshooting network problems . . . . . . . . . . . . . . . . . . . . . . . . 175Table C-3:Troubleshooting Internet connection problems . . . . . . . . . . . . . . . 177User Guide for Check Point Endpoint Security client 12

FiguresFigure 2-1: Endpoint Security control center. . . . . . . . . . . . . . . . . . . . . . . . . . 6Figure 6-1: Programs list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Figure 6-3: Components List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Figure 7-1: Antivirus and Antispyware status . . . . . . . . . . . . . . . . . . . . . . . . 92Figure 7-2: Scan targets dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Figure 7-3: Virus scan results dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Figure 7-4: Spyware scan results dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Figure 9-1: Privacy site list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Figure 10-1: Policies list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136User Guide for Check Point Endpoint Security client 13

Preface• “About this guide,” on page 1514

ConventionsAbout this guideThis guide is intended for users of Endpoint Security.ConventionsThis guide uses the following formatting and graphics conventions.BoldConventionDescriptionUsed for user interface elements such as panels, tabs, fields, buttons,and menu options.ItalicUsed for glossary terms, file names, and paths.| Used to separate panel and tab selections in procedures.Example: Select Overview | Status, then click Add.Tip icon. Suggests alternative methods for accomplishing tasks orprocedures.Note icon. Emphasizes related, reinforcing, or important information.Caution icon. Indicates actions or processes that can potentiallydamage data or programs.User Guide for Check Point Endpoint Security client 15

ChapterInstallation and setup1This chapter provides instructions for installing, upgrading,configuring, and uninstalling Endpoint Security.Topics:• “Installing Endpoint Security,” on page 2• “Upgrading from a previous version,” on page 3• “Updating Endpoint Security Automatically,” on page 4• “Uninstalling Endpoint Security,” on page 41

Chapter 1: Installation and setupLaunching Endpoint SecurityInstalling Endpoint SecurityUnder most circumstances, your administrator will install Endpoint Security for you.Should you need to install Endpoint Security, however, refer to this section forinstructions. If you have an open network connection (such as SSH or FTP), thoseconnections will be closed when you install Endpoint Security..If you have a previous version of Endpoint Security installed, you may receive asecurity warning during installation. Click OK to dismiss these warnings beforeproceeding with installation.1. Double-click the appropriate.msi install file.The installation program begins.2. Either specify a location for the installation files, or click Next to continue.The default location is C:\Program Files\CheckPoint\Endpoint Security.3. Type your name, company (optional), and e-mail address, then click Next.4. Read and accept the license agreement, then click Install.The installation program runs.5. Click Finish to close the installation program.6. Click Yes to start Endpoint Security.If you are upgrading to version 7.0 from a previous version, you may be prompted torestart your computer to complete the installation process.7. Click OK to restart your computer, or click Cancel.If you click Cancel, remember to restart your computer later to complete theinstallation process.Launching Endpoint SecurityAfter installing Endpoint Security and rebooting your computer, Endpoint Securityshould launch automatically. To launch Endpoint Security manually, select Start|CheckPoint Endpoint Security.In some cases you may be prompted for login credentials after launching EndpointSecurity. If this occurs, contact your system administrator to obtain the requiredinformation.User Guide for Check Point Endpoint Security client 2

Chapter 1: Installation and setupLaunching Endpoint SecurityUpgrading from a previous versionEndpoint Security is designed for easy upgrade from version to version. In most cases,you do not need to uninstall your existing version before upgrading to version 7.0.If you are upgrading to Endpoint Security from a ZoneAlarm client, any opennetwork sessions will be closed upon installation.To upgrade from a previous version:1. Double-click the installation file.The installation program begins.2. Select an upgrade option, then click Next to continue.UpgradeClean InstallThis option preserves your existing security settings and applies themto the new version. New features that are added during upgradereceive default settings.This option discards your existing security settings and restores defaultsettings.User Guide for Check Point Endpoint Security client 3

Chapter 1: Installation and setupLaunching Endpoint SecurityUpdating Endpoint SecurityAutomaticallyEndpoint Security version 5.5 and later may automatically prompt you to update when anewer version becomes available.To update Endpoint Security:1. In the alert box, click OK to begin updating Endpoint Security.An Installation Alert dialog box appears.Uninstalling Endpoint SecurityIf you need to uninstall Endpoint Security, run the uninstall program included with yourinstallation rather than using the Windows Add/Remove Programs utility. This ensuresthat all traces of Endpoint Security are removed from your computer. You must providean administrator password before you can uninstall Endpoint Security.If you are upgrading, there is no need to uninstall your existing version. For moreinformation, see “Upgrading from a previous version,” on page 3.To uninstall Endpoint Security:1. Select Start|Programs.2. Select Check Point Endpoint Security|Uninstall.The Uninstallation program begins.User Guide for Check Point Endpoint Security client 4

ChapterEndpoint Security basics2This chapter provides an introduction to the main tools andconcepts of Endpoint Security.Topics:• “Tour of the Endpoint Security Control Center,” on page 6• “Understanding Zones,” on page 9• “Responding to alerts,” on page 11• “Setting product preferences,” on page 135

Chapter 2: Endpoint Security basicsGetting around the Control CenterTour of the Endpoint Security ControlCenterThe Endpoint Security Control Center provides one-stop access to the security featuresthat keep your computer safe. Endpoint Security’s major features are presented in amenu on the left side of the Control Center.Getting around the Control CenterTo move from feature to feature, first select the feature you want from the menu, thenselect the tab you want to view.Menu barHelpTabselectorsClick to show or hide help textClick to resizeFigure 2-1: Endpoint Security control centerUser Guide for Check Point Endpoint Security client 6

Chapter 2: Endpoint Security basicsSystem Tray iconsMenu barThe menu bar provides access to the available panels. The tools in each panel arearranged in two or more tabs.Tab selectorsClick a tab selector to bring the tab you want to see to the top.With the exception of the Overview panel, each panel in the Control Center has a Maintab and one or two other tabs. The Main tab contains the global controls for that panel.Show /Hide TextClick this link to show or hide instructional text for the selected tab. The text gives abrief explanation of the tab and its controls.Help buttonTo get help with the controls on any panel, click the Help link in the upper-right corner.Endpoint Security’s online help system goes immediately to the help topic for theselected tab.System Tray iconsThe icons displayed in the system tray let you monitor your security status and Internetactivity as frequently as you wish, and access your security settings in just a few clicks.Right-click any of the icons below to access a shortcut menu.IconDescriptionEndpoint Security is installed and running.VPN is connected.Your computer is sending (red band) or receiving (green band) networktraffic. This does not imply that you have a security problem, or that thenetwork traffic is dangerous.Security scan is in progress.Endpoint Security is downloading a client update.Endpoint Security is out of compliance with a policy.Table P-3: System Tray iconsUser Guide for Check Point Endpoint Security client 7

Chapter 2: Endpoint Security basicsUsing the Status tabIconDescriptionEndpoint Security has experienced an application error.Table P-3: System Tray iconsUsing the Status tabThe protection area of the Status tab tells you whether your firewall, program, and e-mail security settings are enabled and provides a summary of security activity. From theStatus tab you can:• See at a glance if your computer is secure• See a summary of Endpoint Security’s activity• See if your version of Endpoint Security is up to date• Access the product tutorialTo reset the alert counts in this area, click Reset to Default at the bottom of the panel.Blocked intrusionsShows you how many times the Endpoint Security firewall and MailSafe have acted toprotect you, and how many were high-rated alerts.Inbound ProtectionIndicates whether your firewall is on and displays the number of Firewall alerts andInternet Lock alerts that have occurred since the last reset. If a warning is displayed,click the underlined warning text to go immediately to the panel where you can adjustyour settings.Outbound ProtectionIndicates whether program control is configured safely and displays the number ofprogram alerts that have occurred since the last reset. Endpoint Security will warn you ifprogram control is disabled.E-mail Protection areaIndicates whether MailSafe is enabled and displays the number of attachments that havebeen quarantined since the last reset. If a warning is displayed, click the underlinedwarning text to go immediately to the panel where you can adjust your settings.TutorialClick Tutorial to learn the basics of how Endpoint Security works.User Guide for Check Point Endpoint Security client 8

Chapter 2: Endpoint Security basicsZones provide program controlyour Windows networking services.) At Medium security, you are no longer in stealthmode.We recommend that you use the Medium security setting for the first few days ofnormal Internet use after installing Endpoint Security. After a few days of normal use,Endpoint Security will have learned the signatures of the majority of the componentsneeded by your Internet-accessing programs, and will remind you to raise the ProgramAuthentication level to High.No security level is necessary for the Blocked Zone, because no traffic to or from thatZone is allowed.Advanced users can customize high and medium security for each Zone byblocking or opening specific ports. For more information, see “Blocking andunblocking ports,” on page 35.Zones provide program controlWhenever a program requests access permission or server permission, it is trying tocommunicate with a computer or network in a specific Zone. For each program you cangrant or deny the following permissions:• Access permission for the Trusted Zone.• Access permission for the Internet Zone.• Server permission for the Trusted Zone.• Server permission for the Internet Zone.By granting access or server permission for the Trusted Zone, you enable a program tocommunicate only with the computers and networks you have put in that Zone. This isa highly secure strategy. Even if a program is tampered with, or given permissionaccidentally, it can only communicate with a limited number of networks or computers.By granting access or server permission for the Internet Zone, however, you enable aprogram to communicate with any computer or network, anywhere.User Guide for Check Point Endpoint Security client 10

Chapter 2: Endpoint Security basicsNew Program alertsResponding to alertsWhen you first start using Endpoint Security, it is not unusual to see a number of alerts.Don’t worry! This doesn’t mean you’re under attack. It just means that EndpointSecurity is learning your program and network configurations, and giving you theopportunity to set up your security the way you want it.How you respond to an alert depends upon the type of alert displayed. For informationon responding to a particular type of alert, see Appendix A,“Alert reference,” starting onpage 150.New Program alertsThe majority of the initial alerts you see will be New Program alerts. These alerts occurwhen a program on your computer requests access or server permission to the Internetor your local network. Use the New Program alert to give access permission toprograms that need it—like your browser and e-mail program.Use the check box labeled Remember this answer to give permanent permissionto programs you trust.Few programs or processes actually require server permission in order to functionproperly. Some processes, however, are used by Microsoft Windows to carry outlegitimate functions. Some of the more common ones you may see in alerts are:• lsass.exe• spoolsv.exe• svchost.exe• services.exe• winlogon.exeIf you do not recognize the program or process that is asking for server permission,search the Microsoft Support Web site (http://support.microsoft.com/) forinformation on the process to determine what it is and what it’s used for. Be aware thatmany legitimate Windows processes, including those listed above, have the potential tobe used by hackers to disguise worms and viruses, or to provide backdoor access to yoursystem for Trojan horses. If you were not performing a function (such as browsing files,logging onto a network, or downloading files) when the alert appeared, then the safestapproach is to deny server permission. At any time, you can assign permissions toUser Guide for Check Point Endpoint Security client 11

Chapter 2: Endpoint Security basicsNew Network and VPN alertsspecific programs and services from the Programs List, accessed by selecting ProgramControl | Programs tab.If you’re seeing many server program alerts, you may want to run a spyware scan as anadded precaution. For information on running a spyware scan, see “Performing aspyware scan,” on page 106.To learn more about New Program alerts and how to respond to them, see “NewProgram alert,” on page 156.New Network and VPN alertsThe other initial alerts you may see are the New Network alert and VPN Configurationalerts. These occur when Endpoint Security detects a network connection or VPNconnection. They help you configure your Trusted Zone, port/protocol permission,and program permissions correctly so that you can work securely over your network.For details about these alerts and how to respond to them, see Appendix A,“NewProgram alert,” starting on page 156.Compliance alertsCompliance alerts occur when Endpoint Security server operating in conjunction withEndpoint Security client determines that your computer is non-compliant withenterprise security requirements. Depending on the type of non-compliance, your abilityto access the corporate network may be restricted or even terminated.Computers that are running the correct types and versions of required software are saidto be compliant with enterprise security requirements. When on the other handEndpoint Security determines that a computer is non-compliant, it:• Displays a Compliance alert (but only if the display of Compliance alerts is enabled inthe currently active enterprise security policy)• Directs you to a Web page that tells you how to make the endpoint computercompliantWhat happens next depends on your company’s security policies.• If the non-compliant condition does not require immediate remediation, your accessto the corporate network may be restricted: You can continue to access somecorporate network resources before you perform the steps necessary to make yourcomputer compliant.• If the non-compliant condition requires immediate remediation, your access to thecorporate network may be terminated. In this case, you may only be able to accessthe Web page that tells you how to make your computer compliant with corporatesecurity requirements.To learn more about Compliance alerts and how to respond to them, see “Compliancealert,” on page 154.User Guide for Check Point Endpoint Security client 12

Chapter 2: Endpoint Security basicsSetting your user-level passwordSetting product preferencesUse the Preferences tab to set or change your Endpoint Security password, log in or logout, manage updates, set general options for the display of the Endpoint SecurityControl Center, and configure privacy settings for communications with Check Point.Setting your user-level passwordBy setting a user-level password, you prevent anyone but you from shutting down oruninstalling Endpoint Security, or changing your security settings. Setting a passwordwill not prevent other people from accessing the Internet from your computer.If your version of Endpoint Security was installed by an administrator with aninstallation password, that administrator can access all functions.When you set a password for the first time, be sure to log out before leaving yourcomputer. Otherwise, others can still change your settings.To set or change a Endpoint Security password:1. Select Overview|Preferences.2. Click Set Password.3. Type your password and password verification in the fields provided.4. Select Allow others to use programs without a password to allow other users ofyour computer to grant new programs one-time access the network or internet.5. Click OK.Valid passwords are between 6 and 31 characters long. Valid characters includeA-Z, a-z, 0-9, and characters !,@,#,$,%,^,&,*.Once you have set a password, you must log in before you can change settings, shutdown the TrueVector security engine, or uninstall Endpoint Security.Setting general product preferencesBy default, Endpoint Security starts automatically when you turn on your computer. Usethe settings in the General area to change the automatic startup option, to customizeappearance, and configure proxy settings.To set general display preferences:1. Select Overview|Preferences.User Guide for Check Point Endpoint Security client 13

Chapter 2: Endpoint Security basicsSetting general contact preferences2. In the General area, specify your preferences.Load Endpoint Security securitysoftware at startupProtect the Check Point EndpointSecurity clientEndpoint Security starts automatically when you turnon your computer.Prevents Trojan horses from sending Keyboard andMouse requests to Endpoint Security.Note: To ensure maximum security, only disable thisfeature if you are having problems with your keyboardor mouse while using remote access programs.3. In the General area, click Options.The Options dialog box appears.4. In the Display settings area, choose your display preferences.Remember the last tab visitedColor-schemeOpens Endpoint Security to the tab that you had openthe last time you closed the Control Center.Allows you to change the default color scheme of theControl Center.5. Click OK to save your changes.Setting general contact preferencesSetting general contact preferences ensures that your privacy is protected whenEndpoint Security communicates with Check Point (for example, to check automaticallyfor updates).To set contact preferences:1. Select Overview|Preferences.2. In the Contact with Check Point area, specify your preferences.Alert me with a pop-upbefore I make contactHide my IP address whenapplicableHide the last octet of myIP address when applicableDisplays a warning before contacting CheckPoint to deliver registration information, getproduct updates, research an alert, or accessDNS to look up IP addresses.Note: If you are participating in the CheckPoint Secure Community, you will not bealerted before sending anonymous data.Prevents your computer from being identifiedwhen you contact Check PointOmits the last section of your IP address (forexample, 123.456.789.XXX) when you contactCheck PointUser Guide for Check Point Endpoint Security client 14

ChapterNetworking with Endpoint Security3If you’re on a home network, business Local Area Network(LAN), or Virtual Private Network (VPN), you want to ensuresmooth communication with the network while stillmaintaining high security. The Network Configuration Wizard,automatic VPN configuration, and other features ofEndpoint Security help you to quickly set up your networkenvironment.Topics:• “Configuring a new network connection,” on page 16• “Integrating with network services,” on page 18• “Configuring your VPN connection,” on page 20• “Configuring Temporary Wi-Fi Network Access,” on page 2315

Chapter 3: Networking with Endpoint SecurityUsing the Network Configuration WizardConfiguring a new network connectionIf your computer connects to a network, you have to decide whether to place thatnetwork in the Trusted Zone or in the Internet Zone.Placing a network in the Trusted Zone enables you to share files, printers, and otherresources with other computers on that network. Networks you know and trust, such asyour home or business LAN, should go in the Trusted Zone.Placing a network in the Internet Zone prevents you from sharing resources with othercomputers on that network and protects you from the security risks associated withresource sharing. Unknown networks should go in the Internet Zone.The Network Configuration Wizard helps you make this decision by determiningwhether the detected network is public or private.Using the Network Configuration WizardWhen your computer connects to a new network, Endpoint Security opens the NetworkConfiguration Wizard, displaying the IP address of the detected network and whether itis public or private.The IP address of the network is used to determine whether it is a private network or apublic network.A private network is usually a home or business Local Area Network (LAN). Privatenetworks are placed in the Trusted Zone by default.A public network is usually a much larger network, such as that associated with an ISP.Public networks are placed in the Internet Zone by default.To configure your network connection using the Network Configuration Wizard:1. Choose the Zone you want this network in, then click Next.By default, Endpoint Security places private networks in the Trusted Zone, andpublic networks in the Internet Zone.2. Name the network. The name you enter here will be displayed in the Zones tab ofthe Firewall panel.If you prefer not to use the Network Configuration Wizard, click Cancel in anyWizard screen. A New Network alert will appear. The detected network will beplaced in the Internet Zone, even if it is a private network. For information onusing the New Network alert, see “New Network alert,” on page 163.User Guide for Check Point Endpoint Security client 16

Chapter 3: Networking with Endpoint SecurityDisabling the Network Configuration WizardDisabling the Network Configuration WizardThe Network Configuration Wizard is enabled by default. If you prefer to use the NewNetwork Alert to configure new networks, you can disable the Network ConfigurationWizard.To disable the Network Configuration Wizard:In screen four of the Wizard, select the check box labeled Do not showthis Wizard the next time a new network is detected, then clickFinish.Connecting through a proxy serverTo enable your computer to connect to the Internet through a proxy server, add theproxy to your Trusted Zone. See “Adding to the Trusted Zone,” on page 33.User Guide for Check Point Endpoint Security client 17

Chapter 3: Networking with Endpoint SecurityEnabling file and printer sharingIntegrating with network servicesIf you’re working on a home or business network, you may want to share files, networkprinters, or other resources with other people on the network, or send and receive e-mail through your network’s mail servers. Use the instructions in this section to enablesafe resource sharing.Enabling file and printer sharingTo share printers and files with other computers on your network, you will need toconfigure Endpoint Security to allow access to the computers with which you plan toshare resources.To configure Endpoint Security for file and printer sharing:1. Add the network subnet (or, in a small network, the IP address of each computeryou’re sharing with) to your Trusted Zone.See “Adding to the Trusted Zone,” on page 33.2. Set the Trusted Zone security level to Medium. This allows trusted computers toaccess your shared files.See “Setting the security level for a Zone,” on page 27.3. Set Internet Zone security to High. This makes your computer invisible to nontrustedmachines.See “Setting the security level for a Zone,” on page 27.Connecting to network mail serversEndpoint Security is configured to automatically work with Internet-based mail serversusing POP3 and IMAP4 protocols, when you give your e-mail client permission toaccess the Internet.Some mail servers, like Microsoft Exchange, include collaboration and synchronizationfeatures that might require you to trust the server in order for those services to work.To configure Endpoint Security for mail servers with collaboration and synchronizationfeatures:1. Add the network subnet or IP address of the mail server to your Trusted Zone.2. Set the Trusted Zone security level to Medium. This allows server collaborationfeatures to work.3. Set Internet Zone security level to High. This makes your computer invisible to nontrustedmachines.User Guide for Check Point Endpoint Security client 18

Chapter 3: Networking with Endpoint SecurityEnabling Internet Connection SharingEnabling Internet Connection SharingIf you are using Windows’ Internet Connection Sharing (ICS) option, or a third-partyconnection sharing program, you can protect all of the computers that share theconnection from inbound threats by installing Endpoint Security on the gatewaymachine only. However, to receive outbound protection, or to see alerts on the clientmachines, you must have Endpoint Security installed on the client machines as well.Before you configure Endpoint Security, use your ICS software to set up thegateway and client relationships. If you use hardware such as a router to shareyour Internet connection rather than Microsoft’s Internet Connection Sharing(ICS), ensure that the local subnet is in the Trusted Zone.User Guide for Check Point Endpoint Security client 19

Chapter 3: Networking with Endpoint SecuritySupported VPN protocolsConfiguring your VPN connectionEndpoint Security is compatible with many types of VPN client software and canautomatically configure the connection for certain VPN clients.Supported VPN protocolsEndpoint Security monitors the VPN protocols listed in the table below.Networking ProtocolAHESPGREIKEIPSecL2TPLDAPPPTPSKIPExplanation and CommentsAuthentication Header ProtocolEncapsulating Security Payload protocolGeneric Routing Encapsulation protocolInternet Key Exchange protocolIP Security protocol.Layer 2 Tunneling protocol. L2TP is a more secure variationof PPTP.Lightweight Directory Access protocolPoint-to-Point Tunneling protocolSimple Key Management for Internet ProtocolConfiguring your VPN connection automaticallyWhen VPN traffic is detected, an Automatic VPN Configuration alert is displayed.Depending upon the type of VPN activity detected, and whether Endpoint Security wasable to configure your VPN connection automatically, you may see one of threeAutomatic VPN Configuration alerts.For detailed information about the types of Automatic VPN Configuration alerts youmay see and how to respond to them, see “New Network alert,” on page 163.For instance, manual action may be required if the loopback adaptor or the IP addressof the VPN gateway falls within a range or subnet that you have blocked. For moreinformation, see “Configuring your VPN connection manually,” on page 20.Configuring your VPN connection manuallyIf your VPN connection cannot be configured automatically, Endpoint Security displaysa Manual Action Required alert informing you of the manual changes you need to maketo configure your connection.Refer to the following sections for manual configuration instructions:• Adding a VPN gateway and other resources to the Trusted Zone• Removing a VPN gateway from a blocked range or subnet• Allowing VPN protocolsUser Guide for Check Point Endpoint Security client 20

Chapter 3: Networking with Endpoint SecurityAdding a VPN gateway and other resources to the• Granting access permission to VPN softwareAdding a VPN gateway and other resources to the TrustedZoneIn addition to the VPN gateway, There may be other VPN-related resources that needto be in the Trusted Zone for your VPN to function properly.Required ResourcesOther ResourcesThe resources below are required by all VPNclient computers and must be added to theTrusted Zone.VPN ConcentratorRemote host computers connected to theVPN client (if not included in the subnet definitionsfor the corporate network)Corporate Wide Area Network (WAN) subnetsthat will be accessed by the VPN client computerCorporate LANs that will be accessed by theVPN computerThe resources below may or may not berequired, depending on your specific VPNimplementation.DNS serversLocal host computer’s NIC loopback address(depending on Windows version). If youspecify a local host loopback address of127.0.0.1, do not run proxy software on thelocal host.Internet GatewayLocal subnetsSecurity servers (for example, RADIUS,ACE,or TACACS servers)Table 3-1: Required VPN-related network resourcesRemoving a VPN gateway from a blocked range or subnetIf the VPN gateway falls within a range or subnet that you have blocked, you mustmanually unblock the range.To unblock an IP range or subnet:1. Select Firewall|Zones.2. In the Zone column, select the blocked IP range or subnet.3. Select Trusted from the shortcut menu, then click Apply.Allowing VPN protocolsTo ensure proper configuration of your VPN software with Endpoint Security, you willneed to modify your general security settings to allow VPN protocols.To allow VPN protocols:1. Select Firewall|Main, then click Advanced.User Guide for Check Point Endpoint Security client 21

Chapter 3: Networking with Endpoint SecurityGranting access permission to VPN software2. In the General settings area, select the check box labeled Allow VPN protocols.3. Click OK.If your VPN program uses protocols other than GRE, ESP, and AH, also select thecheck box labeled Allow uncommon protocols at high security.Granting access permission to VPN softwareGrant access permission to the VPN client and any other VPN-related programs.To grant permission to your VPN program:1. Select Program Control|Programs.2. In the Programs column, select your VPN program.If your VPN program is not listed, click Add to add it to the list.3. In the Access column, click below Trusted, then select Allow from the shortcutmenu.To grant access to VPN-related components:1. Select Program Control|Components.2. In the Components column, select the VPN component for which you want to grantaccess.3. In the Access column, select Allow from the shortcut menu.If you are experiencing problems with your VPN connection, refer to the VPNtroubleshooting tips in Appendix C,“Troubleshooting,” starting on page 172.User Guide for Check Point Endpoint Security client 22

Networking with Endpoint SecurityGranting access permission to VPN softwareConfiguring Temporary Wi-Fi NetworkAccessYour enterprise or disconnected policy may not automatically allow access to yournetwork through a wireless hotspot provided by a hotel or other public place. Yourpolicy may allow you to partially override this restriction in order to register a hotspot.This override is temporary, and has the following limitations:• Only ports 80, 8080, and 443 are opened. These ports are commonly used forhotspot registration.• No more than five IP addresses are allowed while registering the hotspot.• Ports 80, 8080, and 443 are closed when any of these events occur:• You successfully connect to the network• Ten minutes pass• Three failed connection attemptsTo Register a HotspotRight-click the Endpoint Security icon in the system tray, then select Register toHotspot/Hotel.If Register to Hotspot/Hotel does not display when you right-click the EndpointSecurity icon in the system tray, this feature has been disabled by your networkadministrator.User Guide for Check Point Endpoint Security client 23

Networking with Endpoint SecurityGranting access permission to VPN softwareUser Guide for Check Point Endpoint Security client 24

ChapterFirewall protection4Firewall protection is your front line of defense against Internetthreats. Endpoint Security’s default Zones and securitylevels give you immediate protection against the vastmajority of threats.Topics:• “Understanding Firewall protection,” on page 26• “Choosing security levels,” on page 27• “Setting advanced security options,” on page 29• “Managing traffic sources,” on page 32• “Blocking and unblocking ports,” on page 3525

Chapter 4: Firewall protectionUnderstanding Firewall protectionIn buildings, a firewall is a barrier that prevents a fire from spreading. In computers, theconcept is similar. There are a variety of “fires” out there on the Internet—hackeractivity, viruses, worms, and so forth. A firewall is a system that stops these attempts todamage your computer.The Endpoint Security firewall guards the “doors” to your computer—that is, the portsthrough which Internet traffic comes in and goes out. Endpoint Security examines allthe network traffic arriving at your computer, and asks these questions:• What Zone did the traffic come from and what port is it addressed to?• Do the rules for that Zone allow traffic through that port?• Does the traffic violate any global rules?• Is the traffic authorized by a program on your computer (Program Control settings)?The answers to these questions determine whether the traffic is allowed or blocked.User Guide for Check Point Endpoint Security client 26

Chapter 4: Firewall protectionSetting the security level for a ZoneChoosing security levelsThe default firewall security levels (High for the Internet Zone, Medium for theTrusted Zone) protect you from port scans and other hacker activity, while enabling youto share printers, files, and other resources with trusted computers on your localnetwork. In most cases, you don’t have to make any adjustment to these defaults. You’reprotected as soon as Endpoint Security is installed!Setting the security level for a ZoneSecurity levels make it easy to configure your firewall settings. You can apply a preconfigured security level (High, Medium, or Low) to each Zone, or you can specify theport and protocol restrictions for each level. See “Blocking and unblocking ports,” onpage 35.To set the security level for a Zone:1. Select Firewall|Main.2. In the Internet Zone Security area, click the slider and drag it to the desired setting.HIGHMEDLOWThis is the default setting.Your computer is in stealth mode, making it invisible to other computers.Access to Windows NetBIOS (Network Basic Input/Output System)services, file and printer shares is blocked.Ports are blocked unless you have provided permission for a program to usethem.Your computer is visible to other computers.Access to Windows services, file and printer shares is allowed.Program permissions are still enforced.Your computer is visible to other computers.Access to Windows services, file and printer shares is allowed.Program permissions are still enforced.3. In the Trusted Zone Security area, click the slider and drag it to the desired area.HIGHYour computer is in stealth mode, making it invisible to other computers.Access to Windows (NetBIOS) services, file and printer shares is blocked.Ports are blocked unless you have provided permission for a program to usethem.User Guide for Check Point Endpoint Security client 27

Chapter 4: Firewall protectionSetting the security level for a ZoneMEDThis is the default setting.Your computer is visible to other computers.Access to Windows services, file and printer shares is allowed.Program permissions are still enforced.LOWYour computer is visible to other computers.Access to Windows services, file and printer shares is allowed.Program permissions are still enforced.User Guide for Check Point Endpoint Security client 28

Chapter 4: Firewall protectionSetting Gateway security optionsSetting advanced security optionsAdvanced security options enable you to configure the firewall for a variety of specialsituations, such as gateway enforcement and Internet Connection Sharing (ICS).Setting Gateway security optionsSome companies require their employees to use Endpoint Security when connecting tothe Internet through their corporate gateway. When the Automatically check thegateway... control is selected, Endpoint Security checks for any compatible gatewaysand confirms that it is installed so that gateways requiring Endpoint Security will grantaccess.You can leave this option selected even if you are not connecting through a gateway.Your Internet functions will not be affected.Setting ICS (Internet Connection Sharing) optionsIf you are using ICS (Internet Connection Sharing), use these controls to configureEndpoint Security to recognize the ICS gateway and clients.To set Internet Connection Sharing preferences:1. Select Firewall|Main.2. Click Advanced.3. In the Internet Connection Sharing area, choose your security settings.This computer is not on an ICS/NATnetworkThis is a client of an ICS/NAT gatewayrunning Endpoint SecurityThis computer is an ICS/NAT gatewayInternet Connection sharing is disabled.Endpoint Security automatically detects the IPaddress of the ICS gateway and displays it in theGateway Address field. You also can type the IPaddress into the Gateway address field.Selecting Forward alerts from gateway to thiscomputer will log and display alerts on the clientcomputer that occur on the gateway.Endpoint Security automatically detects the IPaddress of the ICS gateway and displays it in theLocal Address field. You also can type the IPaddress into the Gateway address field.Selecting Suppress alerts locally if forwardedto clients, will suppress alerts forwarded fromthe gateway to clients to also be displayed onthe gateway.4. Click OK.User Guide for Check Point Endpoint Security client 29

Chapter 4: Firewall protectionSetting General security optionsSetting General security optionsThese controls apply global rules regarding certain protocols, packet types and otherforms of traffic (such as server traffic) to both the Trusted Zone and the Internet Zone.To modify general security settings:1. Select Firewall|Main.2. Click Advanced.3. In the General Settings area, choose your security settings.Block all fragmentsBlock local serversBlock Internet serversEnable ARP protectionFilter IP traffic over 1394Allow VPN ProtocolsAllow uncommon protocolsat high securityLock hosts fileDisable Windows FirewallBlocks all incomplete (fragmented) IP data packets. Hackerssometimes create fragmented packets to bypass or disruptnetwork devices that read packet headers.Caution: If you select this option, Endpoint Security willsilently block all fragmented packets without alerting youor creating a log entry. Do not select this option unless youare aware of how your online connection handles fragmentedpackets.Prevents all programs on your computer from acting asservers to the Trusted Zone. Note that this setting overridespermissions granted in the Programs panel.Prevents all programs on your computer from acting asservers to the Internet Zone. Note that this setting overridespermissions granted in the Programs panel.Blocks all incoming ARP (Address Resolution Protocol)requests except broadcast requests for the address of thetarget machine. Also blocks all incoming ARP repliesexcept those in response to outgoing ARP requests.Filters FireWire traffic. You must restart your computer ifyou select this option.Allows the use of VPN protocols (ESP, AH, GRE, SKIP)even when High security is applied. With this option disabled,these protocols are allowed only at Medium security.Allows the use of protocols other than ESP, AH, GRE, andSKIP, at High security.Prevents your computer’s hosts file from being modified byhackers through spyware or Trojan horses. Because somelegitimate programs need to modify your hosts file in orderto function.Detects and disables Windows Firewall. This option willonly appear if you are using Windows XP with Service Pack2.4. Click OK.User Guide for Check Point Endpoint Security client 30

Chapter 4: Firewall protectionSetting Network security optionsSetting Network security optionsAutomatic network detection helps you configure your Trusted Zone easily so thattraditional local network activities such as file and printer sharing aren’t interrupted.Endpoint Security detects only networks that you are physically connected to. Routed orvirtual network connections are not detected.You can have Endpoint Security silently include every detected network in the TrustedZone; or ask you in each case whether to add a newly detected network.To specify Network settings:1. Select Firewall|Main.2. Click Advanced.3. In the Network settings area, choose your security settings.Include networks in the TrustedZone upon detectionExclude networks from the TrustedZone upon detectionAsk which Zone to place new networksin upon detectionAutomatically moves new networks into theTrusted Zone. This setting provides the least security.Automatically blocks new networks from beingadded to the Trusted Zone and places them in theInternet Zone. This setting provides the mostsecurity.Endpoint Security displays a New Network alert orthe Network Configuration Wizard, which give youthe opportunity to specify the Zone.4. Click OK.For more information about networking, see Chapter 3,“Networking with EndpointSecurity,” starting on page 15.User Guide for Check Point Endpoint Security client 31

Chapter 4: Firewall protectionViewing the traffic source listManaging traffic sourcesThe Zones tab contains the traffic sources (computers, networks, or sites) you haveadded to the Trusted Zone or Blocked Zone. It also contains any networks thatEndpoint Security has detected. If you are using a single, non-networked PC, the trafficsource list displays only your ISP’s (Internet Service Provider’s) network, which shouldbe in the Internet Zone.Viewing the traffic source listThe traffic source list displays the traffic sources and the Zones they belong to. You cansort the list by any field by clicking the column header. The arrow ( ^ ) next to theheader name indicates the sort order. Click the same header again to reverse the sortorder.FieldDescriptionNameIP Address/SiteEntry TypeThe name you assigned to this computer,site, or network.The IP address or host name of the trafficsource.The type of traffic source: Network, Host, IP,Site, or Subnet.ZoneNote that allowing or blocking traffic for theHost traffic type may enable security settingsto be bypassed, particularly in networkswhere hosts received dynamically assignedIP addresses.The Zone the traffic source is assigned to:Internet, Trusted, or Blocked.Table 4-1: Traffic source list fieldsModifying traffic sourcesFrom the traffic source list, you can move the traffic source from one Zone to another,add, edit, or remove a traffic source.To change the Zone of a traffic source:1. Select Firewall | Zones.2. Locate the traffic source, then click in the Zone column.3. Select a Zone from the shortcut menu, then click Apply.To add, remove, or edit a traffic source:1. Select Firewall | Zones.2. In the Name column, click the traffic source, then click Add, Edit, or Remove.User Guide for Check Point Endpoint Security client 32

Chapter 4: Firewall protectionAdding to the Trusted Zone3. Click Apply.Adding to the Trusted ZoneThe Trusted Zone contains computers you trust want to share resources with. Forexample, if you have three home PCs that are linked together in an Ethernet network,you can put each individual computer or the entire network adapter subnet in theTrusted Zone. The Trusted Zone’s default medium security settings enable you to safelyshare files, printers, and other resources over the home network. Hackers are confinedto the Internet Zone, where high security settings keep you safe.Note that allowing or blocking traffic for the Host traffic type may allow securitysettings to be bypassed, particularly in networks where hosts receiveddynamically assigned IP addresses.To add a single IP address:1. Select Firewall | Zones.2. Click Add, then select IP address from the shortcut menu.The Add IP Address dialog appears.3. Select Trusted from the Zone drop-down list.4. Type the IP address and a description in the boxes provided, then click OK.To add an IP range:1. Select Firewall | Zones.2. Click Add, then select IP address from the shortcut menu.The Add IP Range dialog appears.3. Select Trusted from the Zone drop-down list.4. Type the beginning IP address in the first field, and the ending IP address in thesecond field.5. Type a description in the field provided, then click OK.To add a subnet:1. Select Firewall | Zones.2. Click Add, then select Subnet from the shortcut menu.The Add Subnet dialog appears.3. Select Trusted from the Zone drop-down list.4. Type the IP address in the first field, and the Subnet mask in the second field.User Guide for Check Point Endpoint Security client 33

Chapter 4: Firewall protectionAdding to the Blocked Zone5. Type a description in the field provided, then click OK.To add to a Host or Site to the Trusted Zone:1. Select Firewall | Zones.2. Click Add, then select Host/Site.The Add Host/Site dialog appears.3. Select Trusted from the Zones drop-down list.4. Type the fully qualified host name in the Host name field.To see the IP addresses before adding the site, click Lookup. If the IP addressesassociated with the host name are changed after you place the host in theTrusted Zone, those IP addresses are not added to the Trusted Zone.5. Type a description of the host/site, then click OK.Endpoint Security resolves the host name you enter with its IP address(es) andadds those IP addresses to the Trusted Zone.To add a network to the Trusted Zone:1. Select Firewall | Zones.2. In the Zone column, click the row containing the network, then select Trusted fromthe shortcut menu.3. Click Apply.Endpoint Security automatically detects new network connections and helps youadd them to the right Zone. For more information, see Chapter 3,“Networkingwith Endpoint Security,” starting on page 15.Adding to the Blocked ZoneTo add to the Blocked Zone, follow the instructions for adding to the Trusted Zone, butselect Blocked from the drop-down list in step 3.User Guide for Check Point Endpoint Security client 34

Chapter 4: Firewall protectionDefault port permission settingsBlocking and unblocking portsEndpoint Security’s default security levels determine which ports and protocols areallowed and which are blocked. If you are an advanced user, you can change thedefinition of the security levels by changing port permissions and adding custom ports.Default port permission settingsThe default configuration for High security blocks all inbound and outbound trafficthrough ports not being used by programs you have given access or server permissionexcept:• DHCP broadcast/multicast• Outgoing DHCP (port 67) - on Windows 9x systems• Outgoing DNS (port 53) - If the computer is configured as an ICS gatewayTraffic TypeSecurity levelsHIGH MED LOWDNS outgoing block n/a allowDHCP outgoing block n/a allowbroadcast/multicast allow allow allowICMPincoming (ping echo) block allow allowincoming (other) block allow allowoutgoing (ping echo) block allow allowoutgoing (other) block allow allowIGMPincoming block allow allowoutgoing block allow allowNetBIOSincoming n/a block allowoutgoing n/a allow allowUDP (ports not in use by a permitted program)incoming block allow allowoutgoing block allow allowTCP (ports not in use by a permitted program)incoming block allow allowTable 4-2: Default access permissions for incoming and outgoing traffic typesUser Guide for Check Point Endpoint Security client 35

Chapter 4: Firewall protectionAdding custom portsTraffic TypeSecurity levelsHIGH MED LOWoutgoing block allow allowTable 4-2: Default access permissions for incoming and outgoing traffic typesTo change a port’s access permission:1. Select Firewall|Main.2. In either the Internet Zone Security or the Trusted Zone Security area, clickCustom.The Custom Firewall Settings dialog appears.3. Scroll to locate High and Medium security settings.4. To block or to allow a specific port or protocol, click the check box beside it.Be aware that when you select a traffic type in the High security settings list, youare choosing to ALLOW that traffic type to enter your computer under Highsecurity, thus decreasing the protection of the HIGH security level. Conversely,when you select a traffic type in the Medium security settings list, you arechoosing to BLOCK that traffic type under Medium security, thus increasing theprotection of the MED security level.5. Click Apply, then click OK.Adding custom portsYou can allow communication through additional ports at High security, or blockadditional ports at Medium security by specifying individual port numbers or portranges.To specify additional ports:1. Select Firewall|Main.User Guide for Check Point Endpoint Security client 36

Chapter 4: Firewall protectionAdding custom ports2. In either the Trusted Zone or Internet Zone area, click Custom.The Custom Firewall settings dialog appears.Select one of theseoptions, then specifythe port numberin the field thatappears.3. Scroll to the security level (High or Medium) to which you want to add ports.4. Select the desired port type: incoming UDP, outgoing UDP, incoming TCP, oroutgoing TCP.5. Type the port or port ranges you want to allow or block in the Ports field, separatedby commas. For example, 139, 200-300.6. Click Apply, then click OK.User Guide for Check Point Endpoint Security client 37

Chapter 4: Firewall protectionAdding custom portsUser Guide for Check Point Endpoint Security client 38

ChapterVirtual private networking5A virtual private network (VPN) lets you use the internet toconnect remotely to your company’s private network or intranet.VPNs allow private and secure communicationwhile using public networks such as the Internet for transmission.Topics:• “Endpoint Security VPN basics,” on page 40• “Configuring profiles and sites,” on page 42• “Managing certificates,” on page 51• “Configuring connection options,” on page 56• “Advanced configuration options,” on page 59• “Managing your VPN connection,” on page 60• “Connection status,” on page 6439

Chapter 5: Virtual private networkingObtaining Authentication CredentialsEndpoint Security VPN basicsEndpoint Security VPN lets you connect securely to your enterprise network when youare working remotely. After your computer and the VPN site prove their identities (orauthenticate), all subsequent communication is encrypted and secure. You can thenaccess private files over the Internet knowing that unauthorized persons cannot view oralter them. The VPN connection can be made directly to the server or through anInternet Service Provider (ISP). Remote users can connect to the organization using anynetwork adapter (including wireless adapters) or modem dialup.Endpoint Security’s VPN feature authenticates the parties and encrypts the data thatpasses between them. The VPN feature uses standard Internet protocols for strongencryption and authentication. Encryption ensures that only the authenticated partiescan read the data passed between them. In addition, the integrity of the data ismaintained, which means the data cannot be altered during transit.The VPN Main panel displays information about any current VPN connection (if any)and about the status of your remote connection to Endpoint Security Server. From theMain panel, you can launch the Site Wizard to create a VPN site, connect to ordisconnect from a VPN site, or open the VPN Settings dialog box to configure profilesand sites, configure any special connection options, or manage certificates. Forinformation about these and related functions, go to the appropriate section:• “Obtaining Authentication Credentials,” on page 40• “Compact and extended versions of the VPN interface,” on page 41• “Defining a site,” on page 47• “Connecting and disconnecting,” on page 60• “Configuring profiles and sites,” on page 42• “Managing certificates,” on page 51Obtaining Authentication CredentialsWhen you connect to a site, and supply identification details, you are supplyingauthentication credentials. There are many authentication methods available forSecureClient. The recommended way to authenticate is through the use of certificates. Acertificate and your password (to open the certificate) are your authenticationcredentials.Contact your system administrator regarding your credentials. He or she supplies youwith one of the following:• A registered certificate (on diskette, or a hardware token) and password (for openingthe certificate)• A registration code that allows you to complete the certificate creation processonline.User Guide for Check Point Endpoint Security client 40

Virtual private networkingCompact and extended versions of the VPN interface• Alternative authentication methods, such as a user name and password, or SecurIDcard.Compact and extended versions of the VPN interfaceYour administrator can deploy Endpoint Security with either a compact or an extendedversion of the VPN interface. You can also change versions yourself when the client isrunning. Compact view provides a simplified view of the VPN interface for users whodo not need multiple sites or profiles. Extended view is for more advanced users whoneed to connect to different VPN sites and who want to manage their VPNconfiguration in greater detail. Depending on which view you use, you will seedifferences in the interface. Such differences are noted in the documentation.To switch between extended and compact views:1. If you are switching from extended to compact view, you must first:• delete all sites (See “Deleting sites,” on page 50.)• disable Auto Local Logon (See “Auto Local Logon,” on page 57.)• disable Secure Domain Logon (See “Secure Domain Logon,” onpage 57.)2. Do one of the following:• In the Endpoint Security interface, go to the VPN panel, click VPNSettings, and go to the Advanced tab.• Right-click the Endpoint Security system tray icon, select VPN Options| VPN Settings, and go to the Advanced tab.3. In the Product View section, select Extended View or Compact View, as desired.Then click OK.Endpoint Security asks you to confirm that you want to restart VPN service.4. Click OK.The VPN panel shows a message indicating that VPN services are restarting. WhenEndpoint Security restores the VPN panel, it activates the desired view.User Guide for Check Point Endpoint Security client 41

Virtual private networkingCompact and extended versions of the VPN interfaceConfiguring profiles and sitesA site represents the organization you want to connect to. A profile defines theparameters Endpoint Security will use to connect to your site.Before SecureClient connects to a site it needs to obtain information regarding the site’sstructure, such as the computers and servers available within the organization. Theconnection wizard gathers this site information. The initial connection, which isdifferent from all subsequent connections, obtains the site’s structure (or topology).During this process you are requested to prove who you are, either by supplying acertificate, or through some other means. If you are using certificates to authenticateyourself but have not received one from your system administrator, you will be asked toregister. Registering a certificate means that you will complete a certificate creationprocess which was initiated by your system administrator. Once this process of defininga site is complete, regular connections can take place.The settings window displays all your connection profiles, either those you createdyourself or profiles created for you by your system administrator. Use this settingswindow to define your site and authentication methods.The following topics are covered:• “Managing connection profiles,” on page 43• “Managing VPN sites,” on page 47User Guide for Check Point Endpoint Security client 42

Virtual private networkingCreating a new profileManaging connection profilesA connection profile defines the parameters Endpoint Security uses to connect to yoursite. Most users need only one profile. However, if your network environment changesfrequently (for example, if you sometimes connect from hotels or from a partnercompany’s network), you or your system administrator may need to create severaldifferent profiles. Each profile connects to the site in a slightly different way, forexample using Office mode or Hub mode. Endpoint Security automatically downloadsnew profile information when you do a site update. If you have more than one profile,contact your administrator to find out which one to use.The functions described in this section are only available in extended view. (For detailson compact versus extended view, see “Compact and extended versions of the VPNinterface,” on page 41.)The following topics are covered.• “Creating a new profile,” on page 43• “Exporting and importing profiles,” on page 44• “Cloning profiles,” on page 44• “Changing profiles,” on page 44• “Creating a profile shortcut on your desktop,” on page 45• “Viewing profile properties,” on page 45• “Deleting profiles,” on page 46Creating a new profileIf you are using VPN extended view, your system administrator might require you tocreate a new connection profile for a particular site. Note that you can only create a newconnection profile if you have already defined at least one site.To create a new connection profile:1. Do one of the following:• Go to VPN | VPN Settings | Connections tab.• Right-click or double-click on the system tray icon, choose Connect toVPN, click Options, and select the Connections tab.2. Click New | Profile.The Profile Properties window opens.3. Type a profile name and description in the appropriate fields. Then select a site fromthe Site drop-down list, and a gateway from the Gateway drop-down list.User Guide for Check Point Endpoint Security client 43

Virtual private networkingExporting and importing profiles4. Click the Advanced tab, and select any configuration options specified by youradministrator.5. Click OK to close the Profile Properties dialog box and then click OK to close theVPN Settings dialog box.Exporting and importing profilesYou can export (save) and import existing profiles. This is useful, for example, if youradministrator creates a profile and asked you to import it.To export or import a profile:1. Go to VPN | VPN Settings | Connections tab.To export a profile, go to step 2. To import a profile, go to step 3.2. To export a profile, do one of the following:• Select the desired profile and then click Options | Export Profile.• Right-click the desired profile and select Export Profile.3. To import a profile, click New | Import Profile.Cloning profilesYou can clone profiles and then modify and save them as new profiles.To clone a profile:1. Go to VPN | VPN Settings | Connections tab.2. Do one of the following:• Select the desired profile and then click New | Clone Profile.• Right-click the desired profile and select Clone Profile.The Profile Properties dialog box appears.3. Modify the profile properties as desired. For example, change the name, thedescription, or the gateway.4. Click OK.Changing profilesIf you are using VPN extended view and if you have configured more than one profile,you can change the profile with which you connect. Note that you cannot changeprofiles while connected to a VPN site.To switch profiles:1. If you are connected to a VPN site, disconnect by doing one of the following:User Guide for Check Point Endpoint Security client 44

Virtual private networkingCreating a profile shortcut on your desktop• Right-click the Endpoint Security system tray icon and selectDisconnect from VPN.• Go to VPN and click Disconnect.2. Bring up the VPN Connection dialog box by doing one of the following:• Right-click the Endpoint Security system tray icon and select Connectto VPN.• Go to VPN and click Connect.3. In the Location Profile drop-down list, choose the desired profile.4. Type your password and click Connect.The selected profile is now your default.Creating a profile shortcut on your desktopYou can create a desktop shortcut that brings up the VPN Connection dialogconfigured to use your chosen profile. This works only for profiles that specify aparticular gateway (as opposed to profiles that use the default, “Any Gateway”).To create a profile shortcut:1. Go to VPN | VPN Settings | Connections tab.2. Do one of the following:• Select the desired profile and then click Options | Create Shortcut.• Right-click the desired profile and select Create Shortcut.You can now double-click the shortcut on your desktop to initiate a VPNconnection.Viewing profile propertiesEndpoint Security displays profile properties in the Profile Properties dialog box. Thissame dialog box also appears when you start to clone a profile or create a new profile.This section explains how to view profile properties. For information on cloning andcreating new profiles, see “Cloning profiles,” on page 44 and “Creating a new profile,”on page 43.To view profile properties:1. Go to VPN | VPN Settings | Connections tab.2. Right-click on the desired profile and choose Properties.The Profile Properties dialog appears.3. Click on any of the following tabs:• General—shows the site name, site description, and gateway.User Guide for Check Point Endpoint Security client 45

Virtual private networkingDeleting profiles• Advanced—lets you configure Office Mode, connectivityenhancements, and Visitor Mode.Deleting profilesIf you use VPN extended view, you can delete profiles when they are no longer useful.Note that you can only delete a profile that you created; you cannot delete a profiledownloaded by your network administrator.To delete profiles1. Go to VPN | VPN Settings | Connections tab.2. Do one of the following:• Select the desired profile and then click Delete.• Right-click the desired profile and select Delete Profile.3. In the confirmation dialog box that appears, click Yes.User Guide for Check Point Endpoint Security client 46

Virtual private networkingDefining a siteManaging VPN sitesBefore you can establish a VPN connection, you must define a destination site (a VPNserver or device) to which to connect. A site definition tells Endpoint Security how toconnect to the VPN site. During the initial connection, which differs from allsubsequent connections, you must prove your identity by supplying a certificate orthrough some other means of authentication. Endpoint Security then obtains the site'sstructure (or topology). After the site is defined, regular connections can take place.The following topics are covered:• “Defining a site,” on page 47• “Viewing site properties,” on page 48• “Changing authentication methods,” on page 49• “Updating sites,” on page 49• “Disabling sites,” on page 50• “Deleting sites,” on page 50Defining a siteYou must define a site before you can establish a VPN connection. If you haveconfigured Endpoint Security to display the extended version of the VPN interface, youcan define additional sites as needed. Using the instructions in this section, workthrough the Site Wizard to define a new site.Before defining a site, make sure your administrator gives you information about yourmethod of authentication (user name and password, certificate, or similar). If you areplanning to use a certificate for authentication, you should already have created thecertificate or received one from your administrator. (For information on certificates, see“Managing certificates,” on page 51.)To define a site:1. Do one of the following:• If you are using Endpoint Security VPN functionality for the first time,and have not defined a site, go to VPN | Connect. In the dialog boxthat asks whether to define a new site, click Yes.• If you have already defined a VPN destination site, and now want todefine another, go to VPN | VPN Settings | Connections. Then, if youare in extended view, click New | Site; or, if you are in compact view,click Define Server.The Site Wizard dialog box appears.User Guide for Check Point Endpoint Security client 47

Virtual private networkingViewing site properties2. Type the VPN site’s IP address or host name and, optionally, select Display Nameand type a display name. Then click Next.Endpoint Security takes a moment to identify the site. The Select ConnectivitySettings dialog appears.3. Select the method of authentication. (Your administrator should have provided youwith the necessary information.) The choices and subsequent actions are:• User name and Password—If you choose this option, click Next toadvance to the User Details dialog box. Type the user name andpassword provided by your administrator, and click Next.• Certificate—If you choose this option, click Next to advance to theCertificate Authentication dialog box. Browse and select your certificate andthen type the certificate password. (Optionally, you can click View Certificate tosee the certificate.) Click Next.• SecurID—If you choose this option, click Next to advance to theSecurID Authentication dialog box. Choose one of the followingoptions: 1) Use Key FOB hard token, 2) Use PinPad card, or 3) UseSecurID Software token. Click Next. Type the necessary informationfor your authentication type. (For example, if you choose Use PinPadcard, type your user name and passcode.) Click Next.• Challenge Response—If you choose this option, click Next to advanceto the Challenge Response dialog box. Type your user name and clickNext.4. Choose the desired connectivity setting (Standard or Advanced) and click Next.After a couple of moments, the Please Validate Site dialog box displays yourcertificate’s fingerprint and distinguished names (DN).5. If your administrator gave you the site’s fingerprint and DN, compare them to thosein the dialog box. If they match, click Next.The Site Created Successfully dialog appears6. Click Finish.Viewing site propertiesEndpoint Security lets you view site properties, such as the site IP address and theauthentication method. Information in the Site Properties dialog box is divided into thefollowing categories:• General—shows the site name, site IP address, and the last site update time.• Authentication—lets you view or modify the authentication method. For details, see“Changing authentication methods,” on page 49.• Advanced—lets you enable the NAT-T protocol. For details on NAT-T, see“Enabling Connectivity Enhancements,” on page 62.User Guide for Check Point Endpoint Security client 48

Virtual private networkingChanging authentication methodsTo view site properties:1. Go to VPN | VPN Settings | Connections tab.2. Right-click on the desired site and choose Properties.The Site Properties dialog appears.3. Click on the General, Authentication, or Advanced tab, as desired.Changing authentication methodsYour administrator may ask you to change your VPN authentication method. If so, heor she should provide you with authentication credentials (for example, a new certificateor a user name and password). If your laptop acts as a terminal for other users, each userconnecting to the site with their own unique certificates, then you will need to switchcertificates as the need arises. Note that you cannot change authentication methodswhile connected to a VPN site.To change authentication methods:1. If you are connected to a VPN site, disconnect by doing one of the following:• Right-click the Endpoint Security system tray icon and selectDisconnect from VPN.• Go to the VPN panel and click Disconnect.2. Go to VPN | VPN Settings | Connections tab.3. Right-click on a site and select Properties.The Site Properties window opens.4. Click the Authentication tab and choose the appropriate authentication methodfrom the Scheme drop-down list.5. Enter the information appropriate for your authentication method. For example, ifyou are using a certificate, click Browse and choose the certificate.6. Click OK to save your changes.Updating sitesWhen you update a site, you download any new client settings and any updatedinformation about the site and its associated profiles, including any new profiles youradministrator has configured. To update a site, you must first be connected to the site. Ifyou are not connected when you attempt to update, Endpoint Security prompts you toconnect.To update a site:1. Go to VPN | VPN Settings | Connections tab.2. Do one of the following:User Guide for Check Point Endpoint Security client 49

Virtual private networkingDisabling sites• Select the desired site and then click Options | Update Site.• Right-click the desired site and select Update Site.If you are already connected to the site, a progress window indicates when the updateis complete. If you are not connected, Endpoint Security prompts you to connect.You must do so to complete the update. (For details on connecting, see “Connectingand disconnecting,” on page 60.)Disabling sitesYou can disable a site, and then enable it later. Note that, by disabling a site, you alsodisable all associated profiles.To disable a site:1. Go to VPN | VPN Settings | Connections tab.2. Disconnect your VPN connection.3. Do one of the following:• Select the desired site and then click Options | Disable Site.• Right-click the desired site and select Disable Site.A red “x” appears on the icons for the site and associated profiles indicating they aredisabled.4. If you later wish to enable the site, do one of the following:• Select the desired site and then click Options | Enable Site.• Right-click the desired site and select Enable Site.Deleting sitesYou can delete sites when they are no longer useful. Note that, by deleting a site, youalso delete all associated profiles.To delete sites1. Go to VPN | VPN Settings | Connections tab.2. Disconnect your VPN connection.3. Do one of the following:• Select the desired site and then click Delete.• Right-click the desired site and select Delete Site.4. In the confirmation dialog box that appears, click Yes.User Guide for Check Point Endpoint Security client 50

Virtual private networkingManaging Entrust certificatesManaging certificatesIt is recommended to use digital certificates for authentication when establishing a VPNconnection. Certificates are more secure than other methods such as user name andpassword. When authenticating with certificates, Endpoint Security and the VPN siteeach confirm that the other’s certificate has been signed by a known and trustedcertificate authority, and that it has not expired or been revoked.You or your administrator must enroll with a certificate authority. You can use any thirdpartyOPSEC (Open Platform for Security) PKI (Public Key Infrastructure) certificateauthority that supports the PKCS#12, CAPI, or Entrust standards.Endpoint Security lets you create or renew Check Point certificates and manage Entrustcertificates. All certificate functions are available in both the compact and extendedversions of the VPN interface. The following topics are covered:• “Managing Entrust certificates,” on page 51• “Creating Check Point certificates,” on page 53• “Renewing Check Point certificates,” on page 54Managing Entrust certificatesEndpoint Security accommodates Entrust certificates. If desired, you can use EntrustEntelligence(TM) to create and recover certificates. When you use Entrust forcertificate management, Endpoint Security automatically connects to the EntelligenceUI when appropriate.To use an Entrust certificate for authentication, you must:1. Enable Entrust Entelligence.2. Initiate the Entrust certificate.3. Create the Entrust certificate.The sections that follow explain how.Enabling Entrust EntelligenceTo enable Entrust Entelligence:1. Go to VPN | VPN Settings | Certificates tab.2. Deselect Don’t use Entrust Entelligence.Initiating Entrust certificatesTo initiate the creation of an Entrust certificate, you must register with the Entrustcertificate authority by sending an .ini file (entrust.ini) to the certificate authority. TheUser Guide for Check Point Endpoint Security client 51

Virtual private networkingManaging Entrust certificatesentrust.ini file, located by default in your Windows directory (for example,C:\Windows), contains information about the Entrust CA in the appropriate format.To initiate an Entrust certificate:1. Go to VPN | VPN Settings | Certificates tab.2. click Select INI file, browse to the appropriate file, and click Open.By default, the .ini file is stored in your Windows directory (for example,C:\Windows).3. Click Configure INI file.The Configure Entrust.INI dialog appears.4. Type the following information:• The CA manager’s host name or IP address and its port number. Thedefault port number is 709.• The LDAP Server’s host name or IP address and its port number. Thedefault port number is 389.5. Click OK.Creating Entrust certificatesThis section explains how to create an Entrust certificate. Before you begin, make sureyour administrator has given you a reference number and authorization code, which arerequired for completing the process.To create an Entrust certificate:1. Go to VPN | VPN Settings | Certificates tab. In the Entrust Certificates section,click Create.The Create User dialog box appears.2. Select Save to File. Then click Browse to select the directory in which to save thecertificate.3. Type and confirm a password for your profile. Your password must conform to thefollowing Entrust specifications:• At least eight characters long• At least one uppercase letter or a numerical digit• At least one lowercase letter• No long strings of repeating characters• No long substrings of the user name4. Specify your profile parameters by entering the Reference Number andAuthorization code supplied by your system administrator.User Guide for Check Point Endpoint Security client 52

Virtual private networkingCreating Check Point certificates5. Click OK. In the confirmation dialog box that appears, click OK again.Creating Check Point certificatesYour system administrator might ask you to create a new Check Point certificate. Youcan store a Check Point certificate either as a Public-Key Cryptography Standard #12(PKCS#12) file or as a hardware or software token (CAPI). Confirm with your systemadministrator how you should store the certificate.PKCS#12 is a standard portable format (with a p12 extension) for transporting andstoring private keys and certificates. CAPI (CryptoAPI) is a cryptographic applicationprogramming interface from Microsoft. You can access a Microsoft Certificate authorityusing Internet Explorer to store and retrieve CAPI certificates. Endpoint Security canretrieve and store this type of certificate. Your administrator may also give you ahardware token for storing certificates. Hardware tokens provide greater security, sincethe private key used to encrypt the connection resides only on the hardware token.Before you begin, get the following information from your administrator:• the certificate format you should choose• the certificate registration key• the IP address (or host name) of the VPN gatewayThe following topics are covered:• “Creating a Check Point certificate as a PKCS#12 file,” on page 53• “Creating a Check Point certificate as a CAPI token,” on page 54Creating a Check Point certificate as a PKCS#12 fileIf your system administrator has asked you to save the certificate as a PKCS#12 file,follow the instructions in this section.To create a PKCS#12 file:1. Go to VPN | VPN Settings | Certificates | Create Certificate.The Check Point Certificate dialog box appears.2. Choose to save the certificate as a file (PKCS #12 format). Click Next.3. Type the connection site IP address or host name and the registration key. ClickNext.4. Type and confirm a password for use with the certificate. Click Next.5. In the confirmation dialog that appears, click Finish.User Guide for Check Point Endpoint Security client 53

Virtual private networkingRenewing Check Point certificatesCreating a Check Point certificate as a CAPI tokenIf your system administrator has asked you to save the certificate as a hardware orsoftware token, follow the instructions in this section.Before you begin, make sure your administrator has specified which CryptographicService Provider (CSP) to use. Some CSPs need special hardware (for example, a tokenreader/writer), while others do not. Endpoint Security works with the CSPs supportedby the Windows operating system.To create a hardware or software token:1. Go to VPN | VPN Settings | Certificates | Create Certificate.The Check Point Certificate dialog box appears.2. Choose to save the certificate as a hardware or software (CAPI) token. Click Next.The Create Check Point Certificate window opens.3. Select the Cryptographic Service Provider (CSP) for your certificate storage, andthen click Next.The Create Check Point Certificate dialog box appears. (Note that each CSP uses itsown unique configuration dialog boxes. Any deviations from the remaininginstructions (in terms of window design, pop-up messages, authenticationrequirements, and so on) are due to differences in the CSP implementation. Fordetails, consult your CSP’s documentation.)4. Type the connection site IP address or host name and the registration key. ClickNext.The Creating a new RSA signature key window opens.5. Click Security Level, select the level specified by your administrator, and click Next.A confirmation window appears.6. Click Finish. Then, in the Root Certificate Store dialog box that appears, click Yes.A confirmation dialog box appears.7. Click Finish.Renewing Check Point certificatesEndpoint Security automatically prompts you to renew your Check Point certificateshortly before it expires. Alternatively, you can renew the certificate at any time.To renew a certificate:1. Go to VPN | VPN Settings | Certificates | Renew Certificate. Note thatEndpoint Security displays the Renew Check Point Certificate dialog boxautomatically if your certificate is about to expire.User Guide for Check Point Endpoint Security client 54

Virtual private networkingRenewing Check Point certificates2. In the Certificate field, confirm the location of your current certificate or, if the newlocation is not displayed, click Browse and select it. In the Current password field,enter the password to open the certificate. Click Next.The Save Certificate dialog box appears.3. Confirm the certificate file name and location. Type the new password in thePassword and Confirm Password fields. (Your password should contain at least sixcharacters, of which four must be unique.). Click Next.The Check Point Certificate dialog box appears.4. Click Finish.Endpoint Security will use this renewed certificate the next time you authenticate to asite.User Guide for Check Point Endpoint Security client 55

Virtual private networkingAuto-ConnectConfiguring connection optionsThis section describes various connection and login options.The following topics are covered:• “Auto-Connect,” on page 56• “Secure Domain Logon,” on page 57• “Auto Local Logon,” on page 57• “Proxy Settings (Visitor Mode),” on page 57Note that Auto-Connect, Secure Domain Logon, and Auto Local Logon are notavailable in the compact version of the VPN interface.Auto-ConnectAuto-connect prompts you to establish a VPN connection when you first try to access aprivate network, such as the company intranet. This saves you the time of navigatingthrough Endpoint Security and initiating the connection yourself.By default, if Endpoint Security detects traffic destined for the site, it connects to thesite and encrypts the traffic. If Endpoint Security is not connected to the site, it dropsthe connection unless you override this default. If you override the default, the traffic issent clear. In connect mode, you are not prompted to connect to the site.In Auto-Connect mode, Endpoint Security prompts you to establish a VPN connectionevery time it detects traffic destined for your corporate network or intranet site. If youchoose to connect, Endpoint Security encrypts traffic to the site. If you do not connect,Endpoint Security prompts you to indicate how long to wait before reminding you againto connect. During this time, traffic to the site is sent unencrypted. However, if your siteis configured to drop all unencrypted traffic, you will not be able to communicate withservers behind the site’s gateway.Note that, in Auto-Connect mode, when Endpoint Security detects traffic destined forthe site, it automatically connects. If Office mode is also enabled, you must re-initiatethe connection after the Auto-Connect connection has succeeded.To activate Auto-Connect:1. Go to VPN | VPN Settings | Options tab.2. Select Enable Auto-Connect and click OK.The Enable Auto Connect dialog appears.3. Select the desired relaunch option and click OK.User Guide for Check Point Endpoint Security client 56

Virtual private networkingSecure Domain LogonSecure Domain LogonIn a Windows environment, your account may belong to a domain controlled by adomain controller. (A domain controller is a computer that provides Microsoft ActiveDirectory directory service to network users and computers.) Secure Domain Login(SDL) is useful when the domain controller lies behind your site’s FireWall Gateway.When you try to establish a VPN connection to a Windows domain, Endpoint Securitysends your login credentials to the domain controller for verification. By default,Endpoint Security establishes the VPN connection only after the login process, whichmeans traffic to and from the domain controller is not encrypted. When you enableSDL, Endpoint Security establishes the VPN connection before communicating withthe domain controller.To enable Secure Domain Logon:1. Go to VPN | VPN Settings | Options tab.2. Select Enable Secure Domain Logon and click OK.Auto Local LogonIf you log in to the VPN site with a user name and password (as opposed to logging onwith a certificate), you can enable Auto Local Logon to automate your login. Yourpassword for the VPN site is encrypted using your password as a key. If you enable bothAuto Local Logon and Auto-Connect, Endpoint Security automatically establishes aVPN connection when you first try to access a site that requires encryptedcommunication (that is, traffic whose destination is the VPN site). This is useful forunattended computers that serve many end users in the manner of a terminal.To enable Auto Local Logon:1. Go to VPN | VPN Settings | Options tab.2. Select Enable Auto Local Logon and click Auto Local Logon Options.3. In the dialog that appears, type your Windows user name and password and VPNuser name and password and then click OK.A message displays stating that your change will be applied after the next reboot.4. When the dialog closes, click OK to close the VPN Settings dialog box.Proxy Settings (Visitor Mode)When a user connects to the organization from a remote location such as hotel or theoffices of a customer, Internet connectivity may be limited to web browsing using thestandard ports designated for HTTP, typically port 80 for HTTP and port 443 forHTTPS. Since the remote client needs to perform an IKE negotiation on port 500 orsend IPSec packets (instead of the usual TCP packets), a VPN tunnel cannot beestablished in the usual way. This issue is resolved using Visitor Mode, formally knownUser Guide for Check Point Endpoint Security client 57

Virtual private networkingProxy Settings (Visitor Mode)as TCP Tunneling. If you are going to configure proxy settings, contact your systemadministrator for a valid user name and password to use to access the proxy.Visitor Mode tunnels all client-to-Gateway communication through a regular TCPconnection on port 443. All required VPN connectivity (IKE, IPsec, etc.) between theClient and the Server is tunneled inside this TCP connection. This means that the peerGateway needs to run a Visitor Mode (TCP) server on port 443.To configure proxy settings:1. Go to VPN | VPN Settings | Options tab.2. Click Configure Proxy Settings.3. In the dialog that appears, configure your proxy settings. Choices are as follows:• No proxy/transparent proxy—the default.• Detect proxy from Internet Explorer settings—tells Endpoint Security totake proxy settings from Internet Explorer. Before selecting this setting,you must ensure that the Internet Explorer settings are definedmanually. This means that in Internet Explorer, Tools > Internet options... >Connections tab > LAN Settings, the “Use a proxy server for this connection...”option is selected. If Automatically detect settings or Use automatic configurationscript is selected, SecuRemote/SecureClient will not be able to detect the proxysettings from Internet Explorer.• Manually define proxy—In a situation where the proxy's settings cannot beautomatically detected, you may be required to configure the Internet Explorersettings according to the instructions provided by your system administrator. Yoursystem administrator supplies an IP Address and port number for the proxy.4. In the Proxy Authentication section, enter the user name and password to use forproxy authentication, then click OK.User Guide for Check Point Endpoint Security client 58

Virtual private networkingProxy Settings (Visitor Mode)Advanced configuration optionsIf you are using the extended version of the VPN interface, Endpoint Security providesthe following advanced configuration options:• “Enabling logging,” on page 66• “Obtaining Authentication Credentials,” on page 40User Guide for Check Point Endpoint Security client 59

Virtual private networkingConnecting and disconnectingManaging your VPN connectionThe following topics are covered:• “Connecting and disconnecting,” on page 60• “Connecting through a hotspot,” on page 61• “Enabling Office Mode,” on page 61• “Enabling Hub Mode,” on page 62Connecting and disconnectingThis section explains how to connect to and then disconnect from a VPN site. Theinstructions assume you have already defined at least one site. (For information ondefining sites, see “Defining a site,” on page 47.)To connect to an existing site:1. Do one of the following:• Right-click the Endpoint Security icon in the system tray and selectConnect to VPN.• In Endpoint Security, go to VPN | Connect.The VPN Connection dialog box opens. Depending on your authentication method,the dialog box displays different fields. For example, if you authenticate usingcertificates, the certificate path is displayed and you are prompted to enter yourpassword.2. Type the appropriate information and click Connect.Endpoint Security displays a window showing progress and whether the connectionis successful.To disconnect:1. Do one of the following:• Right-click the Endpoint Security icon in the system tray and selectDisconnect from VPN.• In Endpoint Security, go to VPN | Disconnect.A confirmation dialog box appears.2. Click Yes.User Guide for Check Point Endpoint Security client 60

Virtual private networkingConnecting through a hotspotConnecting through a hotspotIf you do not see the hotspot option, contact your system administrator.Enabling Hotspot registration can be done by either right clicking the system tray iconor by selecting the Options button in the Connect window.Once Register to Hot Spot/Hotel is selected, a balloon message appears indicating thetime period allowed for registration.Suspending pop-up messagesWhen SecureClient is disconnected from the site, and Auto-Connect is enabled, thenevery time SecureClient detects traffic destined for the site, you are prompted toconnect via a popup message. This popup message can be suspended.If you choose to suspend popup messages, for example sixty minutes, then during thosesixty minutes all traffic to the site is either dropped, or sent unencrypted. When the sixtyminutes expires, you are once again prompted to connect each time SecureClient detectstraffic destined for the site.To suspend pop-up messages:1. Right-click the SecureClient icon in the system tray.2. From the pop-up menu select VPN Options | Suspend Auto-Connect Popups.The Suspend Popup Messages window opens.3. Select the popup suspension option you want, then click OK.Enabling Office ModeOffice mode causes the gateway to assign your computer a temporary IP address that isguaranteed not to conflict with any other IP address at the site. The assignment is madeafter authentication and remains valid as long as you are connected. This featureovercomes certain connectivity issues. If your administrator wants you to use Officemode, he or she may deploy a profile that enables it. If, on the other hand, you are askedto configure Office mode manually, follow the instructions in this section.Note that, when office mode is enabled along with auto-connect mode, the user mustre-initiate the connection after the auto-connect connection has succeeded.Office Mode enables a VPN-1 Pro Gateway to assign a remote client an IP address. Theassignment takes place once the user connects and authenticates. The assignment leaseis renewed as long as the user is connected.Typically, when remote access is implemented, the client connects using an IP addresslocally assigned by, for example, an ISP. The client may even receive a non-routable IPwhich is then hidden behind a NAT device.However, with Office Mode, the address may be taken either from a general IP pool, orfrom an IP address pool specified per user group. The address can be specified per user,User Guide for Check Point Endpoint Security client 61

Virtual private networkingEnabling Hub Modeor via a DHCP server, enabling the use of a name resolution service. With DNS nameresolution, it is easier to access the client from within the corporate network.To enable Office mode:1. Go to VPN | VPN Settings | Connections tab.2. Right-click on the profile and choose Properties.The Profile Properties dialog box appears.3. Click the Advanced tab, select Office Mode, and click OK.Enabling Hub ModeHub mode enables SecureClient to use the site’s Gateway as a router. Traffic fromSecureClient is not forwarded to the internal site but forwarded to another Gateway.The decision whether to use Hub mode is taken by your system administrator. Youmight be instructed to enable Hub mode manually.To enable Hub mode:1. Go to VPN | VPN Settings | Connections tab.2. Right-click on the profile and choose Properties.The Profile Properties dialog box appears.3. Click the Advanced tab, select Route all traffic through gateway, and click OK.Enabling Connectivity EnhancementsConnectivity enhancements include:• NAT traversal• Visitor ModeThe negotiation prior to the establishment of a VPN tunnel might result in theproduction of large packets. Some NAT devices may not fragment large packetscorrectly, making the connection impossible. To resolve this issue, there are severalmethods that may be used:• NAT-T - NAT-T is based on IETF RFC 3193 and draft-02 of the IETF NAT-Tspecification. When a remote user initiates a VPN session with a Gateway, the remotehost informs the Gateway that it is able to communicate using NAT-T. During theinitial negotiation, both peers attempt to detect whether the traffic passed through aNAT device. If a NAT device is detected between the peers, communication betweenthem switches to UDP port 4500. NAT-T is not supported using Aggressive Mode.UDP port 4500 must be enabled, because it will be used for the entire VPN session.• IKE over TCP - IKE over TCP solves the problem of large UDP packets createdduring IKE phase I. The IKE negotiation is performed using TCP packets. TCPpackets are not fragmented; in the IP header of a TCP packet, the DF flag (“do notUser Guide for Check Point Endpoint Security client 62

Virtual private networkingEnabling Connectivity Enhancementsfragment”) is turned on. A full TCP session is opened between the remote host andthe Gateway for the IKE negotiation during phase I.• UDP Encapsulation - This method adds a special UDP header that contains readableport information to the IPSec packet. The new port information is not the same asthe original. The port number 2746 is included in both the source and destinationports. The NAT device uses the source port for the hide operation but thedestination address and port number remains the same. When the peer Gateway sees2746 as the port number in the destination address, the Gateway calls a routine todecapsulate the packet.User Guide for Check Point Endpoint Security client 63

Virtual private networkingViewing general status informationConnection statusThe following topics are covered:• “Viewing general status information,” on page 64• “Viewing activity statistics,” on page 64• “Viewing connection details,” on page 64• “Enabling logging,” on page 66Viewing general status informationYou can view current connection status, active profile name, connection duration, andremaining time before re-authentication.To view general status information:Go to VPN.Viewing activity statisticsThe activity viewer shows details about the compression and decompression of IPpackets. This information may be helpful to administrators when troubleshooting.To view activity statistics:Go to VPN | Activity tab.Viewing connection detailsEndpoint Security provides the following categories of information about the currentconnection:• Status Summary—the Endpoint Security connection status, the gateway IP address,and the current computer’s IP address.• Connections—the name, IP address, site name, and tunnel properties of eachavailable gateway. The active gateway is designated “(Primary)”.• Gateway information—Endpoint Security displays basic data for eachavailable gateway: the gateway name, gateway IP address, and the sitename or IP address. It also shows whether Hub mode is active. Hubmode, which the administrator can configure on the gateway, enablesEndpoint Security to route connections through the sites's gateway.• UDP Encapsulation—enables Endpoint Security to overcome problemscreated by a Hide NAT device.• Visitor Mode/Office Mode—1) Sometimes Endpoint Security needs toconnect through a Gateway that limits connections to port 80 or 443. For asuccessful VPN connection to take place, all traffic between Endpoint SecurityUser Guide for Check Point Endpoint Security client 64

Virtual private networkingViewing connection detailsand the Site has to be tunneled inside a regular TCP connection on port 443. This“TCP tunneling” is called Visitor Mode. 2) There are cases where EndpointSecurity is assigned a private IP address that conflicts with an identical address onthe network behind the remote VPN peer. When Office mode is active, EndpointSecurity receives a special Office mode IP from the Gateway. This preventsconflicts with addresses on the remote network.• Tunnel Active—indicates whether the VPN tunnel is open.• IP Compression—IP compression is a process that reduces the size of the databeing sent. Such a reduction can cause significant improvement in performance. IPcompression is important for Endpoint Security users with slow links, for exampledialup.• IKE over TCP—IKE negotiation typically takes place over UDP.However, during the IKE negotiation between Endpoint Security andthe site, large UDP packets might be created. If these large packets arefragmented along the way, the IKE negotiation fails. TCP packets arenot, as a rule, fragmented, so in cases where large IKE packets arecreated, enable IKE over TCP.• Tunnel MTU Properties—This value relates to the size of the packetsthat can be sent across the physical network. When Endpoint Securityis communicating across multiple routers with a site, it is the smallestMaximum Transmission Unit (MTU) of all the routers that is important.The current MTU is displayed here.• Computer—the current computer’s connection status and other connectioninformation.• Active Connection Settings—a summary of the current profile, including the siteto which to connect, the gateway hostname, and the internet protocol specifications.• Name—The name of the connection profile. The name might be an IPAddress. This is the name that appears in the VPN Connection window.• Description—Descriptive name for the profile, showing additionalinformation.• Site—Name of the site to connect to.• Profile Gateway—Name of the Gateway specified in the connectionprofile.• Selected Gateway—The actual Gateway that was chosen for theconnection. This may differ from the gateway defined in the connectionprofile.• Gateway defined in the connection profile—For example if theGateway in the profile did not respond, and the Gateway has a backupwhich took the connection.User Guide for Check Point Endpoint Security client 65

Virtual private networkingEnabling logging• Support Office mode—Shows whether Office mode is supported ornot. That is, whether Endpoint Security is receiving a special IPaddress from the Gateway.• Support IKE over TCP—Shows whether the tunnel negotiation istaking place over TCP instead of UDP in order to avoid the issue oflarge packets being fragmented.• Force UDP Encapsulation—Whether UDP encapsulation is being usedto overcome problems created by hide NAT devices that do not supportpacket fragmentation.• Visitor Mode—Whether visitor mode is active. For example, ifEndpoint Security needs to perform the IKE negotiation prior toestablishing a VPN tunnel over a regular TCP connection on port 443.• Route all traffic through gateway (Hub mode)—Shows whether Hubmode is active. Hub mode is the mode in which Endpoint Security usesthe Gateway as a router to other destinations providing higher levels ofsecurity and connectivity.• Tunnel MTU Discovery—Shows whether the process that discoversthe Maximum Transmission size of packets from Endpoint Security tothe Gateway is active.To view connection details:Go to VPN and click the Connection Details link.Enabling loggingFor trouble-shouting purposes, your system administrator may ask you to create a reportlog. The report log contains site-specific information and should be treated as strictlyconfidential. Send the report only to an authorized authority, such as your systemadministrator.To enable logging:1. Go to VPN | VPN Settings | Advanced tab.2. Choose Enable Logging.User Guide for Check Point Endpoint Security client 66

ChapterProgram control6Program control protects you by making sure that only programsyou trust can access the Internet. You can use theProgram alerts to configure program permissions as theyare needed, or use the Programs tab to establish permissionsahead of time. Advanced users can also control theports that each program is permitted to use.Topics:• “Understanding Program control,” on page 68• “Setting general program control options,” on page 70• “Configuring program access,” on page 72• “Setting permissions for specific programs,” on page 74• “Managing program components,” on page 81• “Using your programs with Endpoint Security,” on page 8367

Chapter 6: Program controlProgram access controlUnderstanding Program controlEverything you do on the Internet—from browsing Web pages to downloading MP3files—is managed by specific programs on your computer.Hackers exploit this fact by planting “malware”—literally, evil programs—on yourcomputer. Sometimes they send out malware as e-mail attachments with innocentnames like “screensaver.exe.” If you open the attachment, you install the malware onyour computer without even knowing it. Other times, they convince you to downloadthe malware from a server by making it masquerade as an update to a legitimateprogram.Once on your machine, malware can wreak havoc in a variety of ways. It can raid youraddress book and send itself to everyone in it, or it can listen for connection requestsfrom the Internet. The hacker who distributed the malware can then contact it and giveit instructions, effectively taking control of your computer.To protect your computer from these threats, Endpoint Security’s Program Controlfeature uses Program authentication (verifies that your programs haven’t been tamperedwith) and Program access control (provides access or server permission only when youtell it to).Program access controlWhen a program requests access for the first time, A New Program alert asks you if youwant to grant the program access permission. If the program is trying to act as a servera Server Program alert is displayed. A Server Program alert asks you if you want to grantserver permission to a program.To avoid seeing numerous alerts for the same program, select the Remember thisanswer check box before clicking Yes or No. After that, Endpoint Security will silentlyblock or allow the program. If the same program requests access again, a RepeatProgram alert asks you if you want to grant (or deny) access permission to a programthat has requested it before.Because Trojan horses and other types of malware often need server rights in order todo mischief, you should be particularly careful to give server permission only toprograms that you know and trust, and that need server permission to operate properly.For more information about program alerts, see “Program alerts,” on page 156.Program authenticationWhenever a program on your computer wants to access the Internet, Endpoint Securityauthenticates it via its MD5 Signature. If the program has been altered since the lasttime it accessed the Internet, Endpoint Security displays a Changed Program alert.You decide whether the program should be allowed access or not. For added security,Endpoint Security also authenticates the components, for example, DLL (Dynamic LinkLibrary) files, associated with the program’s main executable file. If a component hasUser Guide for Check Point Endpoint Security client 68

Chapter 6: Program controlProgram authenticationbeen altered since the last time permission was granted, Endpoint Security displays aProgram Component alert, similar in appearance to the Changed Program alert.For more information about Changed Program alerts and how to respond to them, see“Changed Program alert,” on page 157.User Guide for Check Point Endpoint Security client 69

Chapter 6: Program controlSetting the program control levelSetting general program controloptionsWhen you’re using Endpoint Security, no program on your computer can access theInternet or your local network, or act as a server, unless you give it permission to do so.Setting the program control levelUse the program control level to regulate the number of Program alerts you will seewhen you first begin using Endpoint Security.Check Point recommends the Medium setting for the first few days of normaluse. This component learning mode enables Endpoint Security to quickly learnthe MD5 signatures of many frequently used components without interruptingyour work with multiple alerts. Use this setting until you have used your Internetaccessingprograms (for example, your browser, e-mail, and chat programs) atleast once with Endpoint Security running. After you have used each of yourprograms that need Internet access, change your Program Control setting toHigh.To set the global program control level:1. Select Program Control|Main.2. In the Program Control area, click the slider and drag it to the desired setting.HIGH • Advanced program and component control and ApplicationInteraction Control are enabled.• You may see a large number of alerts.• Programs and components are authenticated.• Program permissions are enforced and Application InteractionControl is enabled.MED • Advanced program control and Application Interaction Control aredisabled.• Fewer alerts display.• Component learning mode is active.• Programs are authenticated; components are learned.• Program permissions are enforced.Note: After you have used each of your programs that need Internet.access, change your Program Control setting High.User Guide for Check Point Endpoint Security client 70

Chapter 6: Program controlEnabling the automatic lockLOW • Advanced program control is disabled.• Program and Component Learning Mode is active.• No program alerts are displayed.OFFProgram control is disabled.• No programs or components are authenticated or learned.• No program permissions are enforced.• All programs are allowed access/server rights.• No program alerts are displayed.Enabling the automatic lockThe automatic Internet lock protects your computer if you leave it connected to theInternet for long periods even when you’re not actively using network or Internetresources.When the lock engages, only traffic initiated by programs to which you have given Passlockpermission is allowed. All traffic to and from your computer is stopped, includingDHCP messages, or ISP heartbeats, used to maintain your Internet connection. As aresult, you may lose your Internet connection.You can set the Internet lock to engage:• When your screen saver engages, or• After a specified number of minutes of network inactivity.To enable or disable the automatic lock:1. Select Program Control|Main.2. In the Automatic Lock area, select On or Off.To set automatic lock options:1. Select Program Control|Main.2. In the Automatic Lock area, click Custom.The Custom Lock Settings dialog appears.3. Specify the lock mode to use.Lock after n minutes of inactivityLock when screensaver activatesEngages automatic lock after the specifiednumber of minutes has passed. Specify avalue between 1 and 99.Engages automatic lock whenever yourscreensaver is activated.User Guide for Check Point Endpoint Security client 71

Chapter 6: Program controlSetting access permissions for new programsConfiguring program accessYou can configure program access automatically or manually. By using the ProgramWizard, you can automatically configure Internet access for some of the mostcommonly used programs.Setting access permissions for new programsEndpoint Security displays a New Program alert when a program on your computertries to access the Internet or local network resources for the first time. It displays aServer Program alert when a program tries to act as a server for the first time. However,you can also configure Endpoint Security to automatically allow or block new programswithout displaying an alert. For example, if you are sure you have given accesspermission to all the programs you want, you might automatically deny access to anyprogram that asks for permission.To set connection attempt permissions for new programs:1. Select Program Control|Main.2. Click Advanced.3. In the Connection Attempts area, specify your preferences for each Zone.Always allow accessAlways deny accessAlways ask for permissionAllows all new programs access to the specified Zone.Denies programs access to the specified Zone.Displays an alert asking for permission for the program toaccess the specified Zone.Settings for individual programs can be established in the Programs tab.Settings in this panel apply ONLY to programs not yet listed in the Programs tab.To set server attempt permissions for new programs:1. Select Program Control|Main.2. Click Advanced.3. In the Server Attempts area, specify your preferences for each Zone.Always accept the connectionAlways deny the connectionAlways ask before connectingAllows all programs attempting to act as a server.Denies all programs attempting to act as a server.Displays an alert asking for permission for the programto act as a server.User Guide for Check Point Endpoint Security client 72

Chapter 6: Program controlCustomizing program control settingsCustomizing program control settingsBy default, Endpoint Security always asks you whether to block or to allow connectionattempts and server access attempts for the Internet and Trusted Zones. In addition, Ifthe TrueVector Service is running, but Endpoint Security is not, program access isdenied by default.You can customize program control by specifying whether access is always allowed,always denied, or if you want to be asked, each time a program in either the Internet orTrusted Zone requests access.To set global program properties:1. Select Program Control|Main.2. Click Advanced, then select the Alerts & Functionality tab.3. Specify global program options.Show alert when Internet access isdeniedDeny access if permission is set to“ask” and the TrueVector service isrunning but Endpoint Security isnot.Require password to allow a programtemporary Internet accessDisplays a Blocked Program alert when EndpointSecurity denies access to a program. To haveaccess denied silently, clear this option.In rare cases, an independent process such as aTrojan horse could shut down the Endpoint Securityuser interface, but leave the TrueVector servicerunning.This setting prevents the application from hangingif this occurs.Prompts you to enter a password to grant accesspermission. Requires that you be logged in torespond Yes to a Program alert.To allow access without a password, clear thisoption.4. Click OK.User Guide for Check Point Endpoint Security client 73

Chapter 6: Program controlUsing the programs listSetting permissions for specificprogramsBy setting the Program Control level to High, Med, or Low, you specify globallywhether programs and their components must request permission before accessing theInternet or before acting as a server. In some cases, you may want to specify differentsettings for an individual program than these global settings will allow. For example, ifyou wanted to allow access to a particular program, but keep security High for all otherprograms, you could set the permission for that program to Allow.Using the programs listThe programs list contains a list of programs that have tried to access the Internet orthe local network and tells you which Zone the program is in, whether the program canact as a server, and whether the program can send e-mail. The programs list is organizedin alphabetical order. You can sort the programs in the list by any column by clicking onUser Guide for Check Point Endpoint Security client 74

Chapter 6: Program controlUsing the programs listcolumn header.As you use your computer, Endpoint Security detects every programthat requests network access and adds it to the programs list.To access the programs list:Select Program Control|Programs.status indicatorpass-lockindicatorFigure 6-1: Programs listThe Access, Server, and send mail columns indicate whether a specific program isallowed to access the Internet, act as a server, and send e-mail. Refer to the table belowfor a description the symbols used in this list.SymbolMeaningThe program is allowed access/server rights.Tochange the permission, click the icon and chooseeither Block or Ask.Endpoint Security will display a Program alert whenthe program asks for access and/or server rights. Tochange the permission, click the icon and chooseeither Allow or Block.The program is denied access/server rights. Tochange the permission, click the icon and chooseeither Allow or Ask.The program is currently active.Table 6-2: Program permission symbolsUser Guide for Check Point Endpoint Security client 75

Chapter 6: Program controlAdding a program to the programs listSymbolMeaningThe program has pass-lock permission, meaning itcan continue to access the Internet when the InternetLock is engaged. To change the permission,click the icon and choose Normal.Table 6-2: Program permission symbolsAdding a program to the programs listIf you want to specify access or server permission for a program that does not appearon the programs list, you can add the program to the list, then grant the appropriatepermissions.To add a program to the programs list:1. Select Program Control|Programs, then click Add.The Add Program dialog appears.2. Locate the program you want to add, then click Open.Be sure to select the program’s executable file.To edit a program on the programs list:1. Select Program Control|Programs.2. Right-click a program in the Programs column and choose one of the availableoptions.Changes FrequentlyOptionsPropertiesRemoveIf this option is selected, Endpoint Security will use only file pathinformation to authenticate the program. The MD5 signature will notbe checked.Caution: This is a Low security setting.Opens the Program Options dialog box, in which you can customizesecurity options and create expert rules for programs.Opens your operating system’s properties dialog box for the program.Deletes the program from the list.Granting a program permission to access the InternetThere are three ways a program can be granted permission to access the Internet:through a response to an alert, and through manual configuration in the programs list,and by automatic configuration by Endpoint Security.Many of your most commonly used programs can be automatically configured for safeInternet access. To determine whether a program was configured manually orUser Guide for Check Point Endpoint Security client 76

Chapter 6: Program controlGranting a program permission to act as a serverautomatically, select the program in the Programs List and refer to the Entry Detailsfield.To grant a program permission to access the Internet:1. Select Program Control|Programs.2. In the Programs column, click the program for which you want to grant access, thenselect Allow from the shortcut menu.For information about granting programs permission by responding to an alert, see“New Program alert,” on page 156.Built-in rules ensure a consistent security policy for each program. Programs withaccess to the Internet Zone also have access to the Trusted Zone, and programswith server permission in a Zone also have access permission for that Zone. This iswhy (for example) selecting Allow under Trusted Zone/Server automatically setsall of the program’s other permissions to Allow.Granting a program permission to act as a serverExercise caution when granting permission for programs to act as a server, as Trojanhorses and other types of malware often need server rights in order to do mischief.Permission to act as a server should be reserved for programs you know and trust, andthat need server permission to operate properly.To grant a program permission to act as a server:1. Select Program Control|Programs.2. In the Programs column, click the program for which you want to grant serveraccess, then select Allow from the shortcut menu.Granting pass-lock permission to a programWhen the Internet Lock is engaged, programs given pass-lock permission can continueto access the Internet. If you grant pass-lock permission to a program, and that programuses other applications to perform its functions (for example, services.exe), be sure togive those other programs pass-lock permission as well. A key symbol in the Lockcolumn indicates that the program has pass-lock privilege.To grant or revoke pass-lock privilege:1. Select Program Control|Programs.2. Select a program from the list, then click in the Lock column.3. Select Pass Lock or Normal from the shortcut menu.User Guide for Check Point Endpoint Security client 77

Chapter 6: Program controlGranting send mail permission to a programGranting send mail permission to a programTo enable your e-mail program to send e-mail messages and to enable protection againste-mail threats, grant send mail permission to your e-mail program. For moreinformation about protecting your e-mail, see Chapter 8,“E-mail protection,” startingon page 112.To grant send mail permission to a program:1. Select Program Control|Programs.2. Select a program from the list, then click in the send mail column.3. Select Allow from the shortcut menu.Advanced Program ControlAdvanced Program Control tightens your security by preventing unknown programsfrom using trusted programs to access the Internet, or preventing hackers from usingthe Windows CreateProcess and OpenProcess functions to manipulate your computer.By default, the following applications are allowed to use other programs to access theInternet:• Endpoint Security• MS Word, Excel, PowerPoint, and OutlookTo enable Advanced Program Control for a program:1. Select Program Control|Programs.2. In the Programs column, select a program, then click Options.The Program Options dialog appears.3. Select the Security tab, then choose your Advanced Program Control options.This program may use other programsto access the InternetAllow Application InteractionAllows the selected program to use other programsto access the Internet.Allows the selected program to use OpenProcessand CreateProcess functions on your computer.4. Click OK.Disabling Outbound Mail protection for a programBy default, Outbound Mail protection is enabled for all programs. Because the ability tosend e-mail is not a characteristic of all programs, you may choose to disable OutboundMail protection for any program that does not require it.To disable Outbound Mail protection for a program:1. Select Program Control|Programs.User Guide for Check Point Endpoint Security client 78

Chapter 6: Program controlSetting Filter Options2. Select a program from the list, then click Options.The Program Options dialog appears.3. Select the Security tab.4. Clear the check box labeled Enable Outbound E-mail Protection for thisprogram.5. Click Apply to save your changes, then click OK.For more information about Outbound E-mail Protection, see “Outbound MailSafeprotection,” on page 113.Setting Filter OptionsBy default, Privacy protection and Web Filtering is disabled for all programs. You canenable these features for a program from the Program Options dialog.To enable Privacy protection and Web Filtering for a program:1. Select Program Control|Programs.2. Select a program from the list, then click Options.The Program Options dialog appears.3. Select the Security tab.4. In the Filter Options area, select the check box labeled Enable Privacy for thisprogram.5. Click Apply to save your changes, then click OK.For more information about Privacy protection, see Chapter 9,“Privacyprotection,” starting on page 116.Setting authentication optionsBy default, all programs are authenticated by their components. You can specifyauthentication options for a program from the Program Options dialog.Allowing others to use programsYou may want to prevent your children from changing your security settings, but stillallow them to use new programs.To allow access to programs without using a password:1. Select Overview|Preferences.2. Click Set Password.User Guide for Check Point Endpoint Security client 79

Chapter 6: Program controlAllowing others to use programs3. Select the check box labeled Allow others to use programs without a password(unless the program permission is set to “Block”).With this option selected, users must provide a password before they will be allowedto change your settings. However, without providing a password, users will be able toallow Internet access for new programs and programs whose permissions are set to“Ask”. For programs explicitly blocked by you, access will continue to be denied.4. Click OK.User Guide for Check Point Endpoint Security client 80

Chapter 6: Program controlAllowing others to use programsManaging program componentsFor each program on your computer, you can specify whether Endpoint Security willauthenticate the base executable only, or the executable and the components it loads. Inaddition, you can allow or deny access to individual program components.The Components List contains a list of program components for allowed programs thathave tried to access the Internet or the local network. The Access column indicateswhether the component is always allowed access, or whether Endpoint Security shouldalert you when that component requests access.The Components List is organized in alphabetical order. You can sort the componentsin the list by any column by clicking on the Component column header. As you use yourcomputer, Endpoint Security detects the components that are used by your programsand adds them to the Components List.To access the Components List:Select Program Control|Components.Figure 6-3: Components ListUser Guide for Check Point Endpoint Security client 81

Chapter 6: Program controlAllowing others to use programsTo grant access permission to a program component:1. Select Program Control|Components.2. Select a component from the list, then click in the Access column.3. Select Allow from the shortcut menu.User Guide for Check Point Endpoint Security client 82

Chapter 6: Program controlUsing Antivirus softwareUsing your programs with EndpointSecurityTo ensure that your other software programs are compatible with Endpoint Security,you may need to modify your program’s configuration settings.Many of your most commonly used programs can be configured automatically forInternet access. To see if the programs you use can be automatically configured, consultthe list in the Program Wizard. Although, in some cases, Internet access can beconfigured automatically, many programs also require server access rights.Using Antivirus softwareIn order for your antivirus software to receive updates it must have access permissionfor the Trusted Zone.In order to receive automatic updates from your antivirus software vendor, add thedomain that contains the updates (e.g., update.avsupdate.com) to your Trusted Zone.See “Adding to the Trusted Zone,” on page 33.Using browser softwareIn order for your browser to work properly, it must have access permission for theInternet Zone and Trusted Zone. Before granting permission, make sure that youunderstand how to configure your browser’s security for optimal protection and havethe latest service packs installed for the browser you are using.To grant access your browser access permission, do any of the following:• Run the Program Wizard.Endpoint Security will automatically detect your default browser and prompt you togrant it Internet Zone access.• Grant access to the program directly. See “Granting a program permission to accessthe Internet,” on page 76.• Answer Yes when a Program alert for the browser appears.Internet ExplorerIf you are using Windows 2000, you may need to allow Internet access rights to theServices and Controller App (the file name is typically services.exe).To grant Internet access permission to the Services and Controller App:1. Select Program Control|Programs.2. In the Programs column, locate Services and Controller App.3. In the Access column, select Allow from the shortcut menu.User Guide for Check Point Endpoint Security client 83

Chapter 6: Program controlUsing chat programs with Endpoint SecurityNetscapeNetscape Navigator versions above 4.73 will typically experience no problems runningconcurrently with Endpoint Security. If you are using Navigator version 4.73 or higherare still experiencing difficulty accessing the Web with Endpoint Security active, checkthe browser Preferences to make sure you are not configured for proxy access.Using chat programs with Endpoint SecurityChat and instant messaging programs (for example, AOL Instant Messenger) mayrequire server permission in order to operate properly.To grant server permission to your chat program:• Answer “Yes” to the Server Program alert caused by the program.• Grant server permission to the program.See “Granting a program permission to act as a server,” on page 77.We strongly recommend that you set your chat software to refuse file transferswithout prompting first. File transfer within chat programs is a means todistribute malware such as worms, viruses, and Trojan horses. Refer to your chatsoftware vendor's help files to learn how to configure your program for maximumsecurity.Using e-mail programs with Endpoint SecurityIn order for your e-mail program (for example, Microsoft Outlook) to send and receivemail, it must have access permission for the Zone the mail server is in. In addition, somee-mail client software may have more than one component requiring server permission.For example, Microsoft Outlook requires that both the base application(OUTLOOK.EXE) and the Messaging Subsystem Spooler (MAPISP32.exe) to haveserver permission.While you can give your e-mail program access to the Internet Zone, and leave the mailserver there, it’s safer to place the mail server in the Trusted Zone, and limit theUser Guide for Check Point Endpoint Security client 84

Chapter 6: Program controlUsing Internet answering machine programs with End-program's access to that Zone only. Once your e-mail client has access to the TrustedZone, add the remote mail server (host) to the Trusted Zone.To learn how to give a program permission to access or act as a server to the TrustedZone, see “Setting general program control options,” on page 70.To learn how to add a host to the Trusted Zone, see “Managing traffic sources,” onpage 32.You can also heighten security by limiting the ports that your e-mail program canuse. See “Default port permission settings,” on page 35.Using Internet answering machine programs with EndpointSecurityTo use Internet answering machine programs (such as CallWave) with EndpointSecurity, do the following:• Give the program server permission and access permission for the Internet Zone.• Add the IP address of the vendor's servers to the Trusted Zone.To find the server IP address, contact the vendor's technical support.• Set the security level for the Internet Zone to medium.Using file sharing programs with Endpoint SecurityFile sharing programs, such as Napster, Limewire, AudioGalaxy, or any Gnutella clientsoftware, must have server permission for the Internet Zone in order to work withEndpoint Security.Using FTP programs with Endpoint SecurityTo use FTP (File Transfer Protocol) programs, you may need to make the followingsettings adjustments in your FTP client program and in Endpoint Security:• Enable passive or PASV mode in your FTP clientThis tells the client to use the same port for communication both directions. If PASVis not enabled, Endpoint Security may block the FTP server's attempt to contact anew port for data transfer.• Add the FTP sites you use to the Trusted ZoneUser Guide for Check Point Endpoint Security client 85

Chapter 6: Program controlUsing games with Endpoint Security• Give Trusted Zone access permission to your FTP client program.To learn how to add to the Trusted Zone and give access permission to a program, see“Setting advanced security options,” on page 29.Using games with Endpoint SecurityIn order to play games over the Internet while using Endpoint Security, you may have toadjust the following settings.Program permissionInternet games to function require access permission and/or server permission for theInternet Zone.The easiest way to grant access is to answer “Yes” to the program alert caused by thegame program. However, Many games run in “exclusive” full screen mode, which willprevent you from seeing the alert. Use any of the methods below to solve this problem.• Set the game to run in a windowThis will allow you to see the alert, if the game is running at a resolution lower thanthat of your desktop. If the alert appears but you respond to it because your mouse islocked to the game, press the Windows logo key on your keyboard.After granting the game program Internet access, reset the game to run full-screen.• Use software rendering modeBy changing your rendering mode to “Software Rendering,” you can allow Windowsto display the alert on top of your game screen. After allowing the game Internetaccess, you can change back to your preferred rendering device.• Use Alt+TabPress Alt+Tab to toggle back into Windows. This leaves the game running, butallows you to respond to the alert. Once you have allowed Internet access, pressAlt+Tab again to restore your game.The last method may cause some applications to crash, especially if you areusing Glide or OpenGL; however, the problem should be corrected the next timeyou run the game. Sometimes you can use Alt-Enter in the place of Alt-Tab.Security level/ZoneSome Internet games, particularly those that use java, applets, or other Web-based portalfunctionality, may not work properly when your Internet Zone security level is set toHigh. High security will also prevent remote game servers from “seeing” yourcomputer. To solve these problems, you can:• Change your Internet Zone security level to Medium, orUser Guide for Check Point Endpoint Security client 86

Chapter 6: Program controlUsing remote control programs with Endpoint Security• Add the game server you’re connecting to your Trusted Zone. The gamedocumentation or from the game manufacturer’s Web site should indicate the IPaddress or host name of the server.To learn how to add a host or IP address to the Trusted Zone, see the relate topic“Adding to the Trusted Zone,” on page 33.Trusting game servers means trusting the other players in the game. EndpointSecurity does not protect you from attacks instigated by fellow gamers in atrusted environment. Make sure that you understand how to configure yourbrowser's security for optimal protection and have the latest service packsinstalled for the browser you are using.Using remote control programs with Endpoint SecurityIf your computer is either the host or the client of a remote access system such asPCAnywhere or Timbuktu:• Add the IP address(es) of the hosts or clients to which you connect to your TrustedZone. See “Adding to the Trusted Zone,” on page 33.• Add the subnet of the network you are accessing remotely to your Trusted Zone. See“Adding to the Trusted Zone,” on page 33.• If a dynamic IP address is assigned to the remote machine, add the DHCP serveraddress or range of addresses to the Trusted Zone.If your remote control client or host is on a network not under your control (forexample on a business or university LAN), perimeter firewalls or other features ofthe network may prevent you from connecting. If you still have problemsconnecting after following the instructions above, contact your networkadministrator for assistance.Using VNC with Endpoint SecurityIn order for VNC and Endpoint Security to work together, follow the steps below.1. On both the server and viewer (client) machine, do one of the following:• If you know the IP address or subnet of the viewer (client) you will beusing for remote access, and it will always be the same, add that IP orsubnet to the Trusted Zone. See “Adding to the Trusted Zone,” on page 33.• If you do not know the IP address of the viewer, or it will change, thengive the program access permission and server permission for theUser Guide for Check Point Endpoint Security client 87

Chapter 6: Program controlUsing streaming media programs Endpoint SecurityTrusted and Internet Zones. See “Setting permissions for specificprograms,” on page 74.When prompted by VNCviewer on the viewer machine, enter the nameor IP address of the server machine, followed by the password whenprompted. You should be able to connect.If you enable VNC access by giving it server permission and access permission,be sure to set and use your VNC password in order to maintain security. Werecommend adding the server and viewer IP addresses to the Trusted Zone,rather than giving the application Internet Zone permission, if possible.2. On the viewer (client) machine, run VNCviewer to connect to the server machine.Do not run in “listen mode.”Using streaming media programs Endpoint SecurityApplications that stream audio and video, such as RealPlayer, Windows Media Player,QuickTime, etc., must have server permission for the Internet Zone in order to workwith Endpoint Security.To learn how to give server permission to a program, see “Granting a programpermission to act as a server,” on page 77.Using Voice over Internet programs with Endpoint SecurityTo use Voice over IP (VoIP) programs with Endpoint Security, you must to do one orboth of the following, depending on the program:1. Give the VoIP application server permission and access permission.2. Add the VoIP provider’s servers to the Trusted Zone. To learn the IP addresses ofthese servers, contact your VoIP provider's customer support.Using Web conferencing programs with Endpoint SecurityIf you experience problems using a Web conferencing program such as MicrosoftNetmeeting, try the following:1. Add the domain or IP address that you connect to in order to hold the conference tothe Trusted Zone. See “Adding to the Trusted Zone,” on page 33.2. Disable the conferencing program’s “Remote Desktop Sharing” option.User Guide for Check Point Endpoint Security client 88

ChapterSpyware and Virus protection7The integrated Antivirus and Antispyware feature protectsyour computer against viruses and spyware in a single powerfuloperation. Multiple scanning options automaticallydetect viruses and spyware and render them harmless beforethey can damage your computer.Topics:• “Spyware and Virus Protection,” on page 90• “Customizing virus protection options,” on page 93• “Customizing spyware protection options,” on page 98• “Performing a virus scan,” on page 100• “Performing a spyware scan,” on page 106• “Viewing virus and spyware protection status,” on page 11189

Chapter 7: Spyware and Virus protectionTurning on virus and spyware protectionSpyware and Virus ProtectionThe Antispyware feature detects spyware components on your computer and eitherremoves them automatically, or places them in quarantine so that you can remove themmanually after assessing their risk.The Antivirus feature keeps known and unknown viruses from affecting your computerby scanning files and comparing them to a database of known viruses and against a setof characteristics that tend to reflect virus behavior. Files can be scanned as they areopened, closed, executed, or as part of a full computer-wide scan. If a virus is detected,Endpoint Security renders it harmless, either by repairing or denying access to theinfected file.Turning on virus and spyware protectionIf you chose not to turn on the antivirus protection feature in the Configuration Wizardfollowing installation, you can turn it on manually.The Endpoint Security antivirus protection feature is incompatible with othervirus protection software. Before you turn on the antivirus protection feature, youmust uninstall any other antivirus software from your computer, including suiteproducts that include virus protection among their features. Endpoint Securitycan automatically uninstall some antivirus applications for you. If you are usinga program that cannot be uninstalled automatically, you can uninstall it usingAdd/Remove Programs, accessible from the Windows Control Panel.To enable virus and spyware protection:1. Select Anti-virus / Anti-spyware|Main.2. In the Anti-virus area, select On.3. In the Anti-spyware area, select On.Scheduling a scanScanning your computer for viruses and spyware is one of the most important thingsyou can do to protect the integrity of your data and computing environment. Sincescanning is most effective when performed at regular intervals, it often makes sense toschedule it as a task to run automatically. If your computer is not on when the scheduledscan is set to occur, the scan will occur fifteen minutes after your computer is restarted.To schedule a scan:1. Select Anti-virus/Anti-spyware|Main.2. In the Anti-virus area, click Advanced Options.The Advanced Options dialog appears.3. Under Advanced Settings, select Scan Schedule.User Guide for Check Point Endpoint Security client 90

Chapter 7: Spyware and Virus protectionUpdating virus and spyware definitions4. Select the Scan for viruses check box, then specify a day and time for the scan.5. Specify the scan frequency.By default, a virus scan is performed once per week.6. Select the Scan for spyware check box, then specify a day and time for the scan.7. Specify the scan frequency.By default, a spyware scan is performed once per week.8. Click OK.If you do not want to schedule scans in advance, clear the Scan for viruses and/or Scan for spyware check boxes.Updating virus and spyware definitionsEvery virus or spyware application contains unique identification information, knownas its definition file. These definition files are the maps used to locate viruses andspyware on your computer. As new viruses or spyware applications are discovered,Endpoint Security updates its databases with the definitions files it needs to detect thesenew threats. Therefore, your computer is vulnerable to viruses and spyware whenever itsdatabase of virus definitions files becomes outdated. The Details area located on theUser Guide for Check Point Endpoint Security client 91

Chapter 7: Spyware and Virus protectionUpdating virus and spyware definitionsMain tab of the Anti-virus / Anti-spyware panel displays the status of your definitionfiles.Indicates that definition filesare out of dateClick here to updatedefinition files.Figure 7-1: Antivirus and Antispyware statusBy enabling the automatic update feature, you will always receive the latest definitionfiles when they are available.To enable automatic updates:1. Select Anti-virus / Anti-spyware|Main.2. In the Anti-virus area, click Advanced Options.The Advanced Options dialog appears.3. Select Updates, then select the enable automatic anti-virus updates check box.4. Select the enable automatic anti-spyware updates check box.5. Click OK.User Guide for Check Point Endpoint Security client 92

Chapter 7: Spyware and Virus protectionSpecifying scan targetsCustomizing virus protection optionsIn addition to choosing the type of scan you want to perform, you also can specify themethod used to detect viruses, and set treatment methods.Endpoint Security provides several types of virus scans to keep your computer and datasafe: system scans, on-access scans, and e-mail scans.Specifying scan targetsYou can specify which drives, folders, and files are scanned when a system scan occurs.Exclude or include an item in the scan by selecting the check box beside it. By default,Endpoint Security only scans local hard drives.Figure 7-2: Scan targets dialog boxTable 6-2 below provides an explanation of the icons shown in the Scan Targets dialogbox.IconExplanationTable 7-2: Icons indicating scan targetsThe selected disk and all sub-folders and files will beincluded in the scan.User Guide for Check Point Endpoint Security client 93

Chapter 7: Spyware and Virus protectionOn-Access scanningIconExplanationOtherThe selected disk and all sub-folders and files will beexcluded from the scan.The selected disk will be included in the scan, but one ormore sub-folders or files will be excluded from the scan.The selected folder will be excluded from the scan, but one ormore sub-folders or files will be included in the scan.The selected folder will be included in the scan. A gray checkmark indicates that scanning of the folder or file is enabledbecause scanning has been enabled for a higher level disk orfolder.The selected folder will be excluded from the scan. A gray “x”mark indicates that scanning of the folder or file is disabledbecause scanning has been disabled for a higher level disk orfolder.RAM DISK and any unknown drives.Help should be provided for the other drives, that they meanRAM DISK and any unknowndrive (other than floppy, removable, local, remote, CD,network drives).Table 7-2: Icons indicating scan targetsTo specify scan targets:1. Select Anti-virus / Anti-spyware|Main.2. Click Advanced Options.The Advanced Options dialog appears.3. Under Virus Management, select Scan Targets.4. Select the drives, folders, and files to be scanned.Specify other drives to scan. Other includes RAM DISK, andother unknown drives.5. Select or clear the scan boot sectors for all local drives check box, then click OK.6. Select or clear the scan system memory check box, then click OK.On-Access scanningOn-Access scanning protects your computer from viruses by detecting and treatingviruses that may be dormant on your computer. On-Access scanning is enabled bydefault. On-Access scanning supplies the most active form of virus protection. Files areUser Guide for Check Point Endpoint Security client 94

Chapter 7: Spyware and Virus protectionE-mail Scanningscanned for viruses as they are opened, executed, or closed, thereby allowing immediatedetection and treatment of viruses.On-access scan will only scan for viruses in an archive (compressed file, such asthose with a .zip extension.) when the file is opened. Unlike other types of files,archives are not scanned when moved from one location to another.To enable on-access scanning:1. Select Anti-virus / Anti-spyware|Main.2. In the Protection area, click Advanced Options.The Advanced Anti-virus Settings dialog appears.3. Under Advanced Settings, select On-Access Scanning.4. Select the Enable On-Access Scanning check box, then click OK.E-mail ScanningE-mail scanning builds on the protection offered by MailSafe, by scanning for viruses inthe body and attachments of e-mail messages based on the file’s signature and removesthem before they can do damage. Where MailSafe scans for potentially harmfulattachments based on file extension, the E-mail scanning feature scans for harmful filesby comparing the attachments to the signature files of known viruses. If an infectedattachment is detected, the attachment is removed from the e-mail message andreplaced with a text file log that provides details about the removed file.To enable or disable E-mail scanning:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.The Advanced Options dialog appears.2. Under Virus Management, select E-mail Scanning.3. Select or clear the Enable E-mail Scanning check box, then click OK.Enabling automatic virus treatmentWhen a virus infection is detected, the Scan dialog offers the available treatmentoptions, such as Quarantine, Repair, or Delete. By default, Endpoint Securityautomatically attempts to treat files that contain viruses. If a file cannot be repaired, theScan dialog will inform you so that you can take the appropriate action.To enable automatic virus treatment:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.2. Under Virus Management, select Auto Treatment.User Guide for Check Point Endpoint Security client 95

Chapter 7: Spyware and Virus protectionEnabling automatic virus treatment3. Select the auto treatment option you want:• Alert me - do not treat automatically• Try to repair, and alert me if repair fails• Try to repair, quarantine if repair fails (recommended)4. Click OK.User Guide for Check Point Endpoint Security client 96

Chapter 7: Spyware and Virus protectionVirus Scan OptionsVirus Scan OptionsYou can configure your virus scan to ignore any file larger than a specified size (defaultsetting is 8 MB). This option improves scan time without increasing risk, as virus filesare usually smaller than 8 MB. While large files ignored by the scan may contain viruses,your computer is still protected if you have on-access scan enabled.You can also enable the extended database. This database includes a comprehensive listof malware in addition to the standard virus list. However, some malware listed in theextended database may also be listed in the standard antispyware database; somesuspected malware may be scanned twice. Also, the extended database malware list mayinclude programs that you consider to be benign.To specify virus scan options:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.The Advanced Options dialog appears.2. Under Virus Management, select Scan Options.3. Select or clear the Skip if the object is greater than check box.If you checked this box, enter a maximum object size in the MB field.4. Select or clear the Enable extended database check box, then click OK.Exceptions ListAlthough some programs considered to be suspicious by the extended database havethe potential to harm your computer or to make your data vulnerable to hackers, thereare many potentially benign applications that still will be detected as viruses during ascan. If you are using one of these applications, you can exclude it from antivirus scansby adding it to the exceptions list. You can add programs to the exceptions list by rightclickingthe item in the Scan Results list and choosing Ignore Always from the menu.Once programs are on the exceptions list, they no longer will be detected during virusscans. If a virus was added to the exceptions list accidentally, you can remove itmanually.To remove viruses from the exceptions list:1. Select Anti-virus / Anti-spyware | Main, then click Advanced Options.2. Under Virus Management, select Exceptions.3. In the Virus Treatment Exceptions area, select the virus you want to remove, thenclick Remove from List.4. Click OK.User Guide for Check Point Endpoint Security client 97

Chapter 7: Spyware and Virus protectionEnabling automatic spyware treatmentCustomizing spyware protectionoptionsIn addition to choosing the type of scan you want to perform, you also can specify themethod used to detect spyware, and set treatment methods.Enabling automatic spyware treatmentWhen spyware is detected, the Scan dialog offers the available treatment options, suchas Quarantine, or Delete. The Scan dialog will display the suggested treatment ofspyware so that you can take the appropriate action.To enable automatic virus treatment:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.2. Under Spyware Management, select Auto Treatment.3. Select the Enable automatic spyware treatment check box, then click OK.Specifying spyware detection methodsIn addition to default detection that searches your computer’s registry for activespyware, there are methods to detect latent spyware and hard-to-find spyware.To specify spyware detection methods:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.2. Under Spyware Management, select Detection.3. Select the Scan for spy cookies check box.4. Under Maximum strength detection, select the desired option:Intelligent quick scanFull system scanDeep-inspection scan.This option is selected by default.Scans the local file system. This option canslow down scan performance. Select thisoption only if you suspect undetected spywareis present on your computer.Scans every byte of data on your computer.This option can slow down scan performance.Select this option only if you suspect undetectedspyware is present on your computer.5. Click OK.Excluding spyware from scansAlthough some spyware have the potential to harm your computer to harm or to makeyour data vulnerable to hackers, there are many benign applications that still will bedetected as spyware during a scan. If you are using one of these applications, forUser Guide for Check Point Endpoint Security client 98

Chapter 7: Spyware and Virus protectionPreventing spyware attacksexample, voice recognition software, you can exclude it from spyware scans by adding itto the exceptions list. You can add spyware to the exceptions list by right-clicking theitem in and choosing Always Ignore from the menu.Once spyware is on the exceptions list, it no longer will be detected during spywarescans. If spyware was added to the exceptions list accidentally, you can remove itmanually.To remove spyware from the exceptions list:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.2. Under Spyware Management, select Exceptions.3. In the Spyware Treatment Exceptions area, select the spyware application you wantto remove, then click Remove from List.4. Click OK.Preventing spyware attacksIn order to make its way onto your computer, spyware often masquerades as a legitimateprogram so that it can fool you into granting it permission to access your files and carryout functions. How can you be sure that the pop-up alerting you to an update for youroperating system is really as harmless as it appears? Endpoint Security provides specialcontrols that prevent spyware from installing itself on your computer. TheSmartDefense Advisor and Trust Level columns on the programs list determine aprogram’s permission to perform certain functions. For more information about thesecontrols and how they protect you from spyware, see “Using the programs list,” onpage 74.User Guide for Check Point Endpoint Security client 99

Chapter 7: Spyware and Virus protectionPreventing spyware attacksPerforming a virus scanThere are several ways you can initiate a virus scan of your computer.• You can click Scan for Viruses in the Anti-virus area on the Main tab of the Antivirus/ Anti-spyware panel.• You can right-click a file on your computer, then choose Scan with Check PointAnti-virus.• You can schedule a system scan to run once or at regular intervals.• You can open a file (if on-access scanning is enabled).You may run up to five scans simultaneously. Scans are performed in the order in whichthey are initiated. System scans provide another level of protection by allowing you toscan the entire contents of your computer at one time. System scans detect viruses thatmay be dormant on your computer’s hard drive, and if run frequently, can ensure thatyour antivirus signature files are up to date.Because of the thorough nature of full-system scans, they can take some time toperform. As a result, your system’s performance may be slowed down while a fullsystemscan is in progress. To avoid any impact on your workflow, you can schedulesystem scans to run at a time when you are least likely to be using your computer.Clicking Pause in the Scan dialog while a scan is being performed will stop thecurrent scan only. On-access scanning will not be disabled. Click Pause again toresume the current scan.During the scan, the Advanced Options button is disabled.User Guide for Check Point Endpoint Security client 100

Chapter 7: Spyware and Virus protectionUnderstanding virus scan resultsUnderstanding virus scan resultsRegardless of the method used to initiate the scan, the results of the scan are displayedin the Scan Results dialog box as shown in the figure below.Click here to send virus to SmartDefenseAdvisor for more informationFigure 7-3: Virus scan results dialogThe Active Items area of the Scan details dialog lists infections found during the scanthat could not be treated automatically. To accept the suggested treatments in theTreatment column, click Apply. The items listed under Auto Treatment have alreadybeen treated, you do not need to take further action.NameThe name of the virus that caused the infection.TreatmentSpecifies the treatment applied to the infection. Possible values are Quarantined orDeleted.RiskIndicates the risk level of the infection. All viruses are considered High risk.PathThe location of the virus that caused the infection.User Guide for Check Point Endpoint Security client 101

Chapter 7: Spyware and Virus protectionTreating virus files manuallyTypeSpecifies whether the infection was caused by a virus, worm, or trojan.StatusTells you whether the file has been repaired, deleted, or remains infected. If EndpointSecurity was unable to treat the item, a What to do next link may appear here. This linkwill direct you to further information and instructions.InformationProvides more detail about the infection. To get more information about a virus orspyware, click the Learn more link.Treating virus files manuallyIf you do not have automatic treatment enabled, or if a file could not be repairedautomatically, you can attempt to treat it manually from the Scan details dialog.To treat a file manually:1. In the Scan Results dialog, select the item you want to treat.2. In the Treatment column, choose the treatment option you want:RepairQuarantineRenameDeleteDelete onRebootIgnore AlwaysIgnore OnceTries to repair the selectedfile.Appends the extension .zl6 tothe infected file to render itharmless. The file is placed inQuarantine.Allows you to rename the fileso that it will not be found byfuture scans. You should usethis option only if you are surethat the file is in fact not avirus.Deletes the selected file.Deletes the selected file whenyour computer is nextrestarted.Instructs Endpoint Security toignore the file in all futurescans.Instructs Endpoint Security toremove the item from the listand take no further action.User Guide for Check Point Endpoint Security client 102

Chapter 7: Spyware and Virus protectionRepairing files in an archive3. Click Close, when you have finished treating files..If the results of a virus scan contain Error, No treatment available, or Treatmentfailed, it means that there is not yet a way to automatically remove the viruswithout risking the integrity of your computer or other files. In some cases, theremay be manual treatments available to you. To find out, enter the name of thevirus along with the word “removal” into a search engine, such as Google orYahoo, to locate removal instructions. Otherwise, know that we’re constantlyresearching viruses and developing safe ways to remove them.Repairing files in an archiveIf the infected file is located in an archive file (such as a .zip file), Endpoint Security willnot be able to treat it (either by repairing, deleting, or placing it in Quarantine) while thefile is still included in the archive.To repair a file in an archive:1. Select Anti-virus / Anti-spyware|Main, then click Advanced Options.2. Select On-Access Scanning, then select the Enable On-Access Scanning checkbox.3. Click Apply, then click OK.4. Open the file that was specified in the Scan Results dialog from within an archivalutility, such as WinZip.On-access scanning will scan the file for infections. The Scan Results dialog willappear with the results of the scan. If the file still cannot be repaired, see “Treatingvirus files manually,” on page 102.On-access scan will only scan for viruses in an archive when the file is opened.Unlike other types of files, archives are not scanned when moved from onelocation to another.Submitting viruses and spyware to Check Point for reviewReporting and submitting suspected malware to Check Point helps to improve thesecurity and protection of all Internet users. The Check Point Security Team monitorsall incoming submissions for new files. The Check Point Security Team will act on yoursubmission as appropriate and may contact you for more information or to providedetails about the files you submit.Due to the volume of malware released each day, our researchers cannot respond toeach file you submit. However, we appreciate the assistance of our users and thank youUser Guide for Check Point Endpoint Security client 103

Chapter 7: Spyware and Virus protectionViewing logged virus eventsfor taking the time to help secure the Internet. Please address any questions or concernsto: security@zonelabs.comTo submit malware to Zone Labs for review:1. Place the malware file in a password-protected .zip archive with the password set toinfected.For help with creating a password protected archive, refer to the Help for WinZip.2. Send the .zip file to malware@zonelabs.comUse this e-mail address only for sending malware to the Zone Labs Security Team.Please do not send malware files if you feel you cannot do so safely or if it wouldincrease the risk of infection or damage to your system. Do not e-mail suspectedmalware files to others as they could be malicious.Viewing logged virus eventsBy default, all Virus events are recorded in the Log Viewer.To view logged Virus events:1. Select Alerts & Logs|Log Viewer.2. Select Anti-virus, from the Alert Type drop-down list.Table 6-3 provides an explanation of the log viewer fields available for Virus events.FieldInformationDateThe date of the infection.Type The type of event that occurred. Possiblevalues for this field include:• Update•Scan•Treatment• E-mailVirus nameThe common name of the virus. For example,iloveyou.exe.FilenameThe name of the infected file, the name offiles being scanned, or the name and versionnumber of update and/or engine.Table 7-3: Virus event log fieldsUser Guide for Check Point Endpoint Security client 104

Chapter 7: Spyware and Virus protectionViewing logged virus eventsFieldInformationAction TakenHow the traffic was handled by EndpointSecurity. Possible values include:• Updated, Update cancelled, Update Failed• Scanned, Scan cancelled, Scan Failed• File Repaired, File Repair Failed• Quarantined, Quarantine Failed• Deleted, Delete Failed• Restored, Restore Failed• Renamed, Rename FailedActorWhether the action was manual or auto.E-mail If the virus was detected in e-mail, the e-mail address of sender of the infected message.Table 7-3: Virus event log fieldsUser Guide for Check Point Endpoint Security client 105

Chapter 7: Spyware and Virus protectionViewing logged virus eventsPerforming a spyware scanThere are several ways you can initiate a spyware scan of your computer.• You can click Scan for Spyware in the Anti-spyware area on the Main tab of theAnti-virus / Anti-spyware panel.• You can schedule a system scan to run once or at regular intervals.You may run up to five scans simultaneously. Scans are performed in the order in whichthey are initiated. System scans provide another level of protection by allowing you toscan the entire contents of your computer at one time. System scans detect viruses thatmay be dormant on your computer’s hard drive, and if run frequently, can ensure thatyour antivirus signature files are up to date.Because of the thorough nature of full-system scans, they can take some time toperform. As a result, your system’s performance may be slowed down while a fullsystemscan is in progress. To avoid any impact on your workflow, you can schedulesystem scans to run at a time when you are least likely to be using your computer.Clicking Pause in the Scan dialog while a scan is being performed will stop thecurrent scan. Click Pause again to resume the current scan.User Guide for Check Point Endpoint Security client 106

Chapter 7: Spyware and Virus protectionUnderstanding spyware scan resultsUnderstanding spyware scan resultsThe results of a spyware scan are displayed in the Scan Results dialog box as shown inthe figure below.Choose treatment from drop-down list,then click Apply.Figure 7-4: Spyware scan results dialogThe Active Items area of the Scan details dialog lists infections found during the scanthat could not be treated automatically. To accept the suggested treatments in theTreatment column, click Apply. The items listed under Auto Treatment have alreadybeen treated, you do not need to take further action.NameThe name of the spyware.TreatmentSpecifies the treatment applied to the infection. Possible values are Quarantined orDeleted.Security RiskIndicates the risk level of the infection. Possible values for this column include:• Low - Adware or other benign, but annoying software.• Med -Potential privacy breach.User Guide for Check Point Endpoint Security client 107

Chapter 7: Spyware and Virus protectionErrors in spyware scan results• High - Poses a security threat.PathThe location of the virus or spyware that caused the infection.TypeThe category of spyware detected. Possible values for this field include keyloggingsoftware and tracking cookie.StatusTells you whether the file has been repaired, deleted, or remains infected. If EndpointSecurity was unable to treat the item, a What to do next link may appear here. This linkwill direct you to further information and instructions.InformationProvides more detail about the infection. To get more information about a virus orspyware, click the Learn more link.Errors in spyware scan resultsIf the results of a spyware scan contain Error, No treatment available, or Treatmentfailed, it means that there is not yet a way to automatically remove the spyware withoutrisking the integrity of your computer or other files. This is not uncommon, as spywarewriters often employ heavy-handed tactics to keep their spyware on your computer withno regard to the damage they could cause.In most cases, there are manual treatments available to you. To find out, enter the nameof the spyware along with the word “removal” into a search engine, such as Google orYahoo, and see if you can find removal instructions. Otherwise, know that we’reconstantly researching spyware such as this and developing safe ways to remove it.Chances are we’ll have a treatment available soon.Viewing items in quarantineIn some cases, items detected during a virus or spyware scan cannot be treated orremoved automatically. These items are usually placed into quarantine so that they arerendered harmless but preserved so that they may be treated in the future after anupdate to your virus and spyware signature files.To view viruses in quarantine:1. Select Anti-virus / Anti-spyware.2. Select the Quarantine tab.3. Choose Viruses from the Quarantined View drop-down list.The virus view in quarantine contains the following columns of information:InfectionThe name of the virus that caused the infection.User Guide for Check Point Endpoint Security client 108

Chapter 7: Spyware and Virus protectionViewing logged spyware eventsDays in QuarantineThe number of days the virus has been in quarantine.PathThe location of the virus on your computer.To view spyware in quarantine:1. Select Anti-virus / Anti-spyware.2. Select the Quarantine tab.3. Choose Spyware from the Quarantined View drop-down list.4. Select and item and click More Info to send the item to Check Point for analysis.The spyware view in quarantine contains the following columns of information:TypeThe type of spyware detected. Possible values include tracking cookie and keylogger.NameThe name of the spyware that was detected.RiskThe risk level of the infection. Indicates whether the spyware is benign like adware, or aserious threat like keylogging software.Days in QuarantineThe number of days the spyware has been in quarantine.To delete or restore an item in quarantine:1. Select Anti-virus / Anti-spyware.2. Select the Quarantine tab.3. Choose Spyware or Viruses from the Quarantined View drop-down list.4. Select the item from the list, then click Delete or Restore.Clicking Delete will remove the item from the Quarantine tab, and send the item tothe Recycle Bin. Clicking Restore will take the item out of Quarantine and restore itto its original location. Use this function carefully, as you do not want to restore filesthat could be malicious.Viewing logged spyware eventsBy default, all Spyware events are recorded in the Log Viewer.To view logged spyware events:1. Select Alerts & Logs|Log Viewer.User Guide for Check Point Endpoint Security client 109

Chapter 7: Spyware and Virus protectionViewing logged spyware events2. Select Anti-spyware, from the Alert Type drop-down list.Table 6-4 provides an explanation the log viewer fields available for spyware events.FieldInformationDateThe date of the infection.Type The type of spyware detected. Possible valuesfor this field include:• Adware• Browser Helper Object•Dialer• Keylogger• Screenlogger•Trojan•Worm• Spy CookieSpyware nameThe common name of the spyware. Forexample, NavExcel.FilenameActionActorTable 7-4: Spyware event log fieldsThe name of the spyware file, for examplegmt.exe.How the spyware was handled by EndpointSecurity.Whether the action was performed by you(manual) or by Endpoint Security (auto)User Guide for Check Point Endpoint Security client 110

Spyware and Virus protectionViewing logged spyware eventsViewing virus and spyware protectionstatusThere are two places you can view the status of your virus and spyware protection. Oneis on the Overview|Status page, and the other is on the Anti-virus / Antispyware|Maintab.The Main tab of the Anti-virus / Anti-spyware panel displays the status of your virusand spyware protection. From this area you can:• Verify that virus and spyware protection is turned on.• The dates and times of your last scan(s).• Update definition files.• Invoke a scan.• View results of latest scan.• Access advanced settings.For information on the status information found on the Overview panel, Chapter2,“Using the Status tab,” starting on page 8. The section that follows describes thestatus information located on the Main tab of the Anti-virus / Anti-spyware panel.User Guide for Zone Labs security software 111

ChapterE-mail protection8Worms, viruses, and other threats often use e-mail tospread from computer to computer. MailSafe protects yourfriends, co-workers, and others in your e-mail addressbook.Topics:• “Understanding e-mail protection,” on page 113• “Enabling Outbound MailSafe protection,” on page 113• “Customizing Outbound MailSafe protection,” on page 114112

Chapter 8: E-mail protectionOutbound MailSafe protectionUnderstanding e-mail protectionAttaching files to e-mail messages is a convenient way of exchanging information.However, it also provides hackers with an easy way of spreading viruses, worms, Trojanhorse programs, and other malware.The outbound MailSafe feature stops worms from mass-mailing themselves to everyoneyou know. MailSafe only protects SMTP protocol messages.Outbound MailSafe protectionOutbound MailSafe protection alerts you if your e-mail program tries to send andunusually large number of messages, or tries to send a message to an unusually largenumber of recipients. This prevents your computer from being used without yourknowledge to send infected attachments to other people. In addition, OutboundMailSafe protection verifies that the program attempting to send the e-mail haspermission to send e-mail messages.Outbound MailSafe protection works with the following e-mail applications:• Eudora• Outlook• Outlook Express• Netscape Mail• Pegasus Mail• JunoEnabling Outbound MailSafe protectionFor your security, Outbound E-mail protection is enabled by default. When Outboundprotection is enabled, Outbound MailSafe settings apply to all programs with send mailprivileges.To enable or disable Outbound E-mail protection1. Select E-mail Protection|Main.2. In the Outbound E-mail Protection area, select On or Off.User Guide for Check Point Endpoint Security client 113

Chapter 8: E-mail protectionEnabling Outbound MailSafe protection by programCustomizing Outbound MailSafeprotectionBy default, an Outbound MailSafe protection alert is displayed when your e-mailapplication attempts to send more than five e-mail messages within a two seconds, or ifa an e-mail message has more than fifty recipients. You can customize these settings toextend the time interval, increase the number of messages and recipients allowed, orspecify the e-mail addresses that are allowed to send e-mail from your computer.Enabling Outbound MailSafe protection by programWhen Outbound MailSafe protection is set to On, protection is enabled for allprograms that have been granted permission to send e-mail.By default, EndpointSecurity enables Outbound MailSafe protection for the following programs:• Eudora• Microsoft Outlook• Microsoft Outlook Express• Netscape Mail• Pegasus Mail• JunoYou can customize Outbound MailSafe protection by enabling or disabling it forparticular programs.For information on setting permissions for a program, see “Setting permissions forspecific programs,” on page 74.To enable or disable Outbound MailSafe protection for a program:1. Select Program Control|Programs.2. In the Programs column, right-click a program name, then select Options.3. Select the Security tab.4. In the Outbound E-mail Protection area, select the check box labeled EnableOutbound E-mail Protection for this program.To disable Outbound MailSafe protection, clear this check box.5. Click OK.User Guide for Check Point Endpoint Security client 114

Chapter 8: E-mail protectionSetting Outbound MailSafe protection optionsSetting Outbound MailSafe protection optionsBy default, Outbound MailSafe Protection is activated when your computer attempts tosend more than five e-mail messages within two seconds, or an e-mail message withmore than 50 recipients.Because even legitimate e-mail messages may have one or both of these characteristics,you may want to customize Outbound MailSafe protection settings to better meet yourindividual needs.To customize Outbound MailSafe protection settings:1. Select E-mail Protection|Main, then click Advanced.The Advanced E-mail Protection dialog appears.You must have Outbound E-mail protection enabled to access the Advanceddialog.2. In the Display Outbound E-mail Protection Alerts When area, choose yoursettings.Too many e-mails are sentat onceA message hastoo manyrecipientsIf the sender’saddress is notin this listEndpoint Security displays an Outbound MailSafe protection alertwhen your computer attempts to send more than the specified numberof e-mails within the specified time interval.Endpoint Security displays an Outbound MailSafe protection alertwhen your computer attempts to send an e-mail message with morethan the specified number of recipients.Endpoint Security displays an Outbound MailSafe protection alertwhen your computer attempts to send an e-mail whose originatingaddress (i.e., the address in the From: field) does not appear on thelist. To prevent Endpoint Security from blocking all outgoing e-mail,make sure that your valid e-mail address appears on this list.3. Click OK.User Guide for Check Point Endpoint Security client 115

ChapterPrivacy protection9Long ago, the World Wide Web contained nothing butharmless text-based pages. Today, Web pages frequentlycontain elements that can give away private informationabout you, interrupt your work with annoying pop-ups, oreven damage your computer. In addition, the files that getleft behind on your computer as you use the Web can slowdown your computer’s performance. Use privacy protectionto guard yourself against the misuse of cookies,advertisements, and dynamic Web content, and toperiodically rid your computer of unneeded Internet files.You may or may not have access to this feature, dependingupon your license key. See your system administrator formore information.Topics:• “Understanding privacy protection,” on page 117• “Setting general privacy options,” on page 118• “Using Privacy Advisor,” on page 120• “Setting privacy options for specific Web sites,” on page 121• “Customizing cookie control,” on page 124• “Customizing ad blocking,” on page 126• “Customizing mobile code control,” on page 128• “Understanding Cache cleaner,” on page 129116

Chapter 9: Privacy protectionUnderstanding privacy protectionPrivacy protection helps you manage Web site elements that are commonly used eitherto display advertising content, or to collect data about you and your Web browsinghabits. In addition, privacy settings protect you from the misuse of certain types ofdynamic Web content, or mobile code.Cookie Control keeps advertisers from spying on your Internet habits, and preventssensitive information (passwords, for example) from being stored in cookies where theycan be stolen if a hacker breaks into your computer.Ad Blocking keeps unwanted advertisements from disrupting your Internet work. WithEndpoint Security you can block all types of ads (banner ad, animated ad, and so forth)or only specific types.Mobile Code Control keeps hackers from using active Web page content such as Javaapplets, ActiveX controls controls and plug-ins to compromise your security or damageyour computer. Be aware that many legitimate Web sites use mobile code, and thatenabling mobile code control may affect the functionality of these Web sites.Cache Cleaner keeps your computer clutter-free by deleting excess files you collectwhile you surf the Web and use your computer. It also maintains your privacy bydeleting your URL history and browser cache and other files you specify.User Guide for Check Point Endpoint Security client 117

Chapter 9: Privacy protectionSetting privacy protection levelsSetting general privacy optionsPrivacy protection is enabled for your browser only if you selected it during setup. If youdid not enable privacy during setup, you can enable it manually.Setting privacy protection levelsBy setting the privacy protection level, you determine whether to allow or block cookies,ads, and mobile code.To set privacy levels:1. Select Privacy|Main.2. In the Cookie control area, click the slider and drag it to the desired setting.HIGHMEDOFFBlocks all cookies except session cookies. This setting may preventsome Web sites from loading.Blocks persistent cookies and third party cookies from tracking Websites. Allows cookies for personalized services.Allows all cookies.3. In the Ad Blocking area, click the slider and drag it to the desired setting.HIGHMEDOFFBlocks all banner ad. Blocks all pop-up/pop-under and animated ads.Blocks all pop-up/pop-under and animated ads. Allows banner ads.Allows all ads.4. In the Mobile Code Control area, select On or Off.5. Click OK.Applying privacy protection to programs other thanbrowsersBy default, privacy protection is applied only to standard browser programs such asInternet Explorer. If you wish, you can also enable privacy protection for any otherprogram on your computer.To apply privacy protection control to a program other than a browser:1. Select Program Control|Programs.2. In the Programs column, click a program name, then click Options.The Program Options dialog appears.3. Select the Security tab.User Guide for Check Point Endpoint Security client 118

Chapter 9: Privacy protectionApplying privacy protection to programs other than4. In the Filter Options area, select the check box labeled Enable Privacy for thisprogram.User Guide for Check Point Endpoint Security client 119

Chapter 9: Privacy protectionApplying privacy protection to programs other thanUsing Privacy AdvisorPrivacy Advisor is an alert that appears when Endpoint Security blocks cookies ormobile code, and enables you to allow those elements for a particular page.To prevent Privacy Advisor from appearing each time Web page elements are blocked,select the check box labeled Turn Off Privacy Advisor.To enable or disable Privacy Advisor:1. Select Privacy|Main.2. In the Cookies area, click Custom.The Custom Privacy Settings dialog box appears.3. In the Privacy Advisor area, clear the Show Privacy Advisor check box.4. Click Ok.To see details or to change privacy settings immediately, click the link labeledClick here for details. Endpoint Security opens to the Privacy panel.User Guide for Check Point Endpoint Security client 120

Chapter 9: Privacy protectionViewing the privacy site listSetting privacy options for specificWeb sitesWhen you browse the Internet, the sites you visit are added to the privacy site list, whereyou can specify custom privacy options for that site. You also can add a site to the list tocustomize privacy settings.Viewing the privacy site listThe list displays sites you have visited in your current Endpoint Security session, andsites for which you have previously customized settings. If you do not customizesettings for a site you’ve visited, it is dropped from the list when you shut down yourcomputer or shut down Endpoint Security.Privacy protection is applied at the domain level, even if a sub-domain appearsin the Site List. For example, if you manually add the sub-domainnews.google.com to the list, privacy protection will be applied to the entiredomain of google.com.User Guide for Check Point Endpoint Security client 121

Chapter 9: Privacy protectionAdding sites to the privacy site listTo access the Privacy site list:Select Privacy|Site List.Figure 9-1: Privacy site listA pencil icon in the Edited column indicates that you have customized privacy settingsfor that site, and that the site will remain in your list.Using third-party ad blocking software at the same time as Endpoint Securitymay prevent the privacy site list from being populated properly.Adding sites to the privacy site listTo customize privacy settings for a site that does not appear on the site list, you can addthe site manually, then edit the privacy options for that site.To add a site to the privacy site list:1. Select Privacy|Site List.2. Click Add.The Add Site dialog appears.User Guide for Check Point Endpoint Security client 122

Chapter 9: Privacy protectionEditing sites on the site list3. In the URL field, enter the URL of the site you want to add, then click OK.The URL must be a fully qualified host name, for example, www.yahoo.com.If you are using AOL with Endpoint Security and have enabled Privacyprotection, the site ie3.proxy.aol.com is added to the Privacy Site List when youvisit any site during an AOL session. For example, if during your AOL session youvisit the site www.cnn.com, only the AOL proxy site, ie3.proxy.aol.com is addedto the Privacy Site List. The privacy settings for the ie3.proxy.aol.com site affectall sites visited within AOL. If you manually add a site to the site list, the privacysettings for that site will be ignored, and only the security settings for the AOLproxy site, ie3.proxy.aol.com, are in effect.Editing sites on the site listYou can customize the behavior of Cookie Control, Ad Blocking, and Mobile CodeControl by editing the privacy options for sites on the Site List.1. Select Privacy|Site List.2. In the Site column, select the site you want to edit, then click Options.The Site Options dialog appears.3. Select either the Cookies, Ad Blocking, or Mobile Code tab.For help with selecting custom options, see “Customizing cookie control,” onpage 124, “Customizing ad blocking,” on page 126, and “Customizing mobile codecontrol,” on page 128.4. Specify your options, then click OK.User Guide for Check Point Endpoint Security client 123

Chapter 9: Privacy protectionBlocking session cookiesCustomizing cookie controlInternet cookies make it possible for e-commerce sites (like Amazon, for example) torecognize you as soon as you arrive and customize the pages you visit. However, cookiescan also be used to record information about your Web browsing habits and give thatinformation to marketers and advertisers.Default medium cookie control setting balances security with convenience by blockingonly third-party cookies—those cookies that are used to track your viewing habits.Session cookies and persistent cookies are allowed.If you wish, you can instantly block all cookies by choosing the high cookie-controlsetting, giving you full protection against all types of cookie abuse—-but at the expenseof the convenience that cookies make possible.You can customize cookie control by specifying which types of cookies are blocked andif cookies are allowed, when those cookies should expire.Blocking session cookiesSession cookies are stored in your browser's memory cache while you browsing a WebSite and disappear when you close your browser window. Session cookies are the safesttype of cookie because of their short life span.To block session cookies:1. Select Privacy|Main.2. In the Cookies area, click Custom.3. In the Session cookies area, select the Block session cookies check box.4. Click OK.Blocking persistent cookiesPersistent cookies are placed on your hard disk by Web sites you visit so that they can beretrieved by the Web site the next time you visit. While useful, they create a vulnerabilityby storing information about you, your computer, or your Internet use in a text file.To block persistent cookies:1. Select Privacy|Main.2. In the Cookies area, click Custom.3. In the Persistent cookies area, select the Block persistent cookies check box.4. Click OK.Blocking third-party cookiesA third-party cookie is a type of persistent cookie that is placed on your computer, notby the Web site you are visiting, but by an advertiser or other third party. These cookiesUser Guide for Check Point Endpoint Security client 124

Chapter 9: Privacy protectionSetting an expiration date for cookiesare commonly used to deliver information about your Internet activity to that thirdparty.To block third-party cookies:1. Select Privacy|Main.2. In the Cookies area, click Custom.3. In the 3rd Party Cookies area, specify the cookie type(s) you want to block.Block 3rd party cookiesDisable web bugsRemove private headerinformationBlocks cookies from third-party Web sites.Prevents advertisers from finding out which advertisementsand Web pages you have viewed.Prevents your IP address, your workstation name, loginname, or other personal information from being transferredto third-party sources.Setting an expiration date for cookiesThe sites that use persistent cookies may set those cookies to remain active for a fewdays, several months, or indefinitely. While a cookie is active, the site (or third party) thatcreated it can use the cookie to retrieve information. After the cookie expires, it can nolonger be accessed.If you choose to allow persistent cookies, you can override their expiration dates andspecify how long they will remain active before expiring.To set an expiration date for cookies:1. Select Privacy|Main.2. In the Cookies area, click Custom.3. In the Cookie Expiration area, select the Expire cookies check box.4. Specify when cookies expire.Immediately after receiptAfter n daysAllows persistent cookies to operate only duringthe session in which they were received.Allows persistent cookies to remain active for thenumber of days you specify. You can choose anynumber from 1 to 999. The default setting is 1.5. Click Apply, then click OK.User Guide for Check Point Endpoint Security client 125

Chapter 9: Privacy protectionSpecifying which ads to blockCustomizing ad blockingAd blocking is disabled by default. You can customize ad blocking to block all bannerads and skyscraper ads, pop-up and pop-under ads, and animated ads, or to block onlyspecific types of ads. In addition, you can specify what Endpoint Security displays inplace of blocked ads.Specifying which ads to blockPrivacy protection allows you to specify which types of ads to block or to allow.To specify which ads to block:1. Select Privacy|Main.2. In the Ad Blocking area, click Custom.The Custom Privacy settings dialog appears.3. In the Ads to Block area, select the type of ad you want to block.Banner/skyscraperadsPop-up/popunderAnimated adsBlocks ads that appear in either a horizontal or vertical banner.Blocks ads that appear in a new browser window in front of or behindthe window you are viewing.Blocks ads that incorporate moving images.4. Click OK.Setting ad void control optionsWhen Endpoint Security blocks banner, skyscraper, or animated ads, it leaves a “void”or blank on your screen where the ad was to be displayed. Ad void control lets youspecify what will be displayed in that space.To specify what appears in place of blocked ads:1. Select Privacy|Main.2. In the Ad Blocking area, click Custom.The Custom Privacy settings dialog appears.3. In the Ad Void Control area, specify the method for controlling blocked ads.NothingA box with the word “[AD]”Blocks ads without any indication that the ads were toappear.Displays a window containing the word AD. This is thedefault setting.User Guide for Check Point Endpoint Security client 126

Chapter 9: Privacy protectionSetting ad void control optionsA box I can mouse over to getthe ad to appearDisplays a window containing the ad that appears onlywhen you activate the window using your mouse.4. Click OK.User Guide for Check Point Endpoint Security client 127

Chapter 9: Privacy protectionSpecifying which types of mobile code to blockCustomizing mobile code controlMobile code is content on a Web Page that is active or executable in nature. Examples ofactive content include, Java applets, ActiveX controls, and JavaScript, all of which can beused to make Web pages more interactive and dynamic.Malicious mobile code, however, can copy files, clear your a hard disk, steal passwords,or command servers. Mobile code control keeps hackers from using active content tocompromise your security or damage your computer.The default setting for mobile code control is Off. When turned to On, all mobile codeexcept JavaScript is blocked. You can customize your mobile code control settings byspecifying what types of mobile code are blocked when mobile code control is set toOn.Specifying which types of mobile code to blockYou can customize mobile code control by which types of active content to block andwhich to allow.To customize mobile code control1. Select Privacy|Main.2. In the Mobile Code Control area, click Custom.The Custom Privacy settings dialog appears.3. In the Mobile Code Control area, specify the types of mobile code to block.Block JavaScriptBlock scripts (vbscript, etc.)Block embedded objects (java,ActiveX)Block mime-type integratedobjectsBlocks JavaScript content, including that required forcommon uses such as Back and History links, rolloverimages, and opening and closing browser windows.Blocks scripts that execute automatically, includingthose required for displaying banners, pop-up ads, anddynamic menus.Blocks objects embedded in Web pages, includingsound and image files.Blocks MIME-type objects integrated in e-mail messages,such as image, sound, or video files.Note: This option also blocks legitimate executablefiles sent through the browser, including downloadsthat you may want to allow. When this occurs, you'llsee the error “This object has been blocked” in thebrowser. For downloads initiated by you, it is safe todisable the Block mime-type integrated objects feature.User Guide for Check Point Endpoint Security client 128

Chapter 9: Privacy protectionUsing Cache CleanerUnderstanding Cache cleanerWhenever you open a file, view a Web page, or fill out an online form, copies of theWeb pages you view are stored in your browser’s cache, enabling pages to load morequickly. If you’re working on a shared computer, these files also are available for viewingby anyone who uses that computer.Similarly, when you open a file, delete a file, or search for files on your computer, theseactions leave behind an electronic trail designed to help you retrace your steps, shouldyou need to in the future. Although useful, over time this excess clutter can affect yourcomputer’s performance and processing efficiency. And, again, if you are using a sharedcomputer, anyone who uses that computer can find out what Web sites you haveviewed.Use Endpoint Security’s Cache Cleaner to periodically rid your computer of these excessfiles, free up disk space, and ensure your privacy.Using Cache CleanerYou can run Cache Cleaner manually anytime you want to. If you prefer to schedulecache cleanings, you can configure Cache Cleaner to run automatically at regularintervals: as often as every day, to as infrequently as every 99 days. The default value forautomatic cleaning is every 14 days.To run Cache Cleaner manually:1. Select Privacy|Cache Cleaner.2. Click Clean Now.A verification message appears.3. Click OK.You will see a progress meter while Cache Cleaner runs.To schedule Cache Cleaner to run automatically:1. Select Privacy|Cache Cleaner.2. Select the Clean cache automatically every check box.3. In the Clean Cache Automatically area, specify a cleaning interval between 1 and 99.The dates of the last cleaning and the next scheduled cleaning is displayed below thecheck box.Customizing hard drive cleaning optionsBy default, Cache Cleaner cleans the following files from your hard drive:• Contents of the Recycle Bin• Contents of the Temp files directoryUser Guide for Check Point Endpoint Security client 129

Chapter 9: Privacy protectionCustomizing browser cleaning options• Windows Scandisk fragmentsYou can customize these settings by specifying additional areas to be cleaned, includingyour Document history, Search history, or Windows Media Player history.To customize cleaning options for your hard drive:1. Select Privacy|Cache Cleaner, then click Custom.2. Select Hard Drive, then specify cleaning options.Clean Document historyClean Recycle BinClean temp files directoryClean Windows Find/Search historyClean Windows Scandisk fragmentsClean Windows Media Player historyRun historyCleans the list of files that appears at Start|Documents.This setting only applies to the documenthistory for the currently logged-in user.Cleans the contents of the Windows Recycle Bin.Selected by default.Cleans the Windows temp directories. Selected bydefault.Cleans the items in the Windows Find/Search list.Cleans chunks of lost or damaged data recovered byWindows’ ScanDisk program. Selected by default.Cleans the list of recently played media clips inWindows Media Player.Cleans the list that appears in the Open drop-downlist at Start|Run.3. Click Apply, then click OK.Customizing browser cleaning optionsIf you use either Internet Explorer or Netscape, you can configure Cache Cleaner toremove cookie files that are stored on your computer while you browse the Web. CacheCleaner identifies cookies to remove by the cookie source, rather than by the individualcookie file. When you specify a cookie source to remove, Cache Cleaner removes allcookies from that source. If there are cookies on your computer that you do not want toremove, you can configure Cache Cleaner to retain those cookies.To customize cleaning options for IE/MSN:1. Select Privacy|Cache Cleaner, then click Custom.2. Select the IE/MSN tab.User Guide for Check Point Endpoint Security client 130

Chapter 9: Privacy protectionCustomizing browser cleaning options3. .In the Internet Explorer/MSN cleaning options area, specify the areas to becleaned.Clean cacheClean URL historyClean AutoComplete formsClean AutoComplete passwordsClean locked Index.dat filesClean typed URL historyCleans the Internet Explorer browser cache.Selected by default.Cleans the URLs list in the Address field. Selectedby default.Cleans the previous entries you've made for Webforms, including passwords.Note: If you do not want your passwords to becleaned, clear the “Clean AutoComplete forms”check box.Cleans passwords for which you selected “Rememberpassword.”Cleans index.dat files that are currently in use byyour computer. Selected by default.Cleans the URLs you have typed into the Addressfield. Selected by default.4. To remove cookies, select the Clean IE/MSN cookies check box, then clickSelect.The Select IE/MSN cookies to keep dialog appears. The list on the left shows thesites for which the browser currently has cookies. The list on the right shows thesites whose cookies you do not want to clean.5. To retain a cookie source, select the cookie source, then click Keep.6. To remove remaining cookies, click Remove, then click OK.To customize cleaning options for Netscape:1. Select Privacy|Cache Cleaner, then click Custom.2. Select the Netscape tab.3. In the Netscape cleaning options area, specify the areas to be cleaned.Clean cacheClean URL historyClean mail trashClean forms dataCleans the Netscape browser cache. Selected bydefault.Cleans the URLs list in the Location field. Selectedby default.Cleans the Netscape Mail Trash folder.Cleans the previous entries you've made for Webforms.User Guide for Check Point Endpoint Security client 131

Chapter 9: Privacy protectionCustomizing browser cleaning options4. To remove cookies, select the Clean Netscape cookies check box.The Select Netscape cookies to keep dialog appears. The list on the left shows thesites for which the browser currently has cookies. The list on the right shows thesites whose cookies you do not want to clean.5. To retain a cookie source, select the cookie source, then click Keep.6. To remove remaining cookies, click Remove, then click OK.User Guide for Check Point Endpoint Security client 132

Privacy protectionCustomizing browser cleaning optionsUser Guide for Check Point Endpoint Security client 133

ChapterPolicies10Policy enforcement enables Endpoint Security to protectyour enterprise network by enforcing a security policy createdby your network administrator. Enterprise policy enforcementoccurs when Endpoint Security client is used inan Endpoint Security server environment. With EndpointSecurity, your administrator can send enterprise policiesout to the computer users on the enterprise’s local network.In this way, your enterprise can be sure that everyoneon the network is adequately protected from Internetthreats.Topics:• “Personal, enterprise, and disconnected security policies,” on page 135• “Understanding policy arbitration,” on page 136134

Chapter 10: PoliciesPersonal, enterprise, and disconnectedsecurity policiesThe settings you choose for your firewall, program control, e-mail protection and otherfeatures in Endpoint Security make up your personal security policy.An enterprise security policy, in contrast, is a collection of settings for the same securityfeatures, created by a your company’s security administrator and assigned to users on theenterprise network.A disconnected policy, also created by a security administrator, enforces certainenterprise security settings even when your computer isn’t connected to the corporatenetwork.A security administrator sends enterprise policies to the Endpoint Security clients onthe corporate network. In this way, your company can be sure that everyone on thenetwork is adequately protected from Internet threats.If you are out of compliance with the enterprise policy, your computer may enforcerestricted rules that limit your access. If this occurs, you will be directed to a Web pagethat provides instructions for getting your computer back into compliance. If you needfurther assistance, contact your system administrator.User Guide for Check Point Endpoint Security client 135

Chapter 10: PoliciesViewing available policiesUnderstanding policy arbitrationYour personal policy is active whenever Endpoint Security is running. An enterprisepolicy may be active or inactive, depending on the situation.When both your personal policy and an enterprise policy are active, Endpoint Securityarbitrates between the two policies. In general, this means that the more restrictive ofthe two policy settings is enforced. For example, if your personal policy calls for theInternet Zone security level to be set to medium; and an active enterprise policy calls forit to be set to high, the high setting is enforced.Because of policy arbitration, an active enterprise policy may block traffic that yourpersonal policy is set to allow, or vice-versa. If you think Endpoint Security is blockinglegitimate traffic that should be allowed, contact your system administrator.Viewing available policiesDepending upon how your administrator has configured your policy settings, you mayonly be able to view your personal, enterprise, and disconnected policies, or you mightalso be able to view any updates that have been made to your enterprise policy.Based onyour particular configuration, the policies list may look different from the image shownbelow.Figure 10-1: Policies listUser Guide for Check Point Endpoint Security client 136

Chapter 10: PoliciesUsing the Policies panelUsing the Policies panelUse the Policies panel to:• See which policies are installed, and which one is currently active, and the last time apolicy was updated.• Access a text version of policy settings for each enterprise policy, and for yourpersonal policy.The Policies panel appears only if your version of Endpoint Security is configured todisplay it. If this panel is not available, it might mean:• Your version of Endpoint Security does not include Policies functionality.• Your version includes Policy functionality, but your administrator has elected not todisplay the panel.Policy NameThe field displays the name of the policy.“Personal Policy” refers to the settings you have established for Endpoint Security byusing the Control Center. Other policy names refer to enterprise policies that youradministrator has installed on your computer.ActiveThis column indicates whether the listed policy is currently active. The personal policy isalways active. An enterprise policy may be active or inactive, depending on settingschosen by your administrator. When both your personal policy and an enterprise ordisconnected policy are active, Endpoint Security arbitrates between the two activepolicies.To learn about policy arbitration, see the related topic Enterprise policy enforcement.Last Server ContactFor enterprise security policies, this column indicates when Endpoint Security mostrecently established a connection to a Endpoint Security Server. A date and time meansthat a connection to Endpoint Security Server currently exists and that EndpointSecurity is enforcing the listed enterprise policy. Otherwise, this column displays theword “Disconnected.”AuthorThe author is the administrator who created and assigned the security policy. The authorfor the personal policy is always listed as “N/A” because you, rather than anadministrator, created it.Entry Detail AreaThe Entry Detail area at the bottom of the main policies window, displays details aboutthe policy that is currently selected in the list.User Guide for Check Point Endpoint Security client 137

ChapterAlerts and Logs11You may be the type of person who wants to know everythingthat happens on your computer--or you may not wantto be bothered, as long as you know your computer is secure.Endpoint Security accommodates you, no matterwhich kind of person you are. You can be notified by analert each time Endpoint Security acts to protect you; oronly when an alert is likely to have resulted from hacker activity.You can also choose to log all alerts, only high-ratedalerts, or alerts caused by specific traffic types.Topics:• “Understanding alerts and logs,” on page 139• “Setting basic alert and log options,” on page 141• “Showing or hiding specific alerts,” on page 142• “Setting event and program log options,” on page 143• “Using Alert Advisor,” on page 149138

Chapter 11: Alerts and LogsAbout alertsUnderstanding alerts and logsEndpoint Security alert and logging features keep you aware of what’s happening onyour computer without being overly intrusive, and enable you to go back at any time toinvestigate past alerts.About alertsEndpoint Security generates two alert types: enterprise or personal, which correspondto settings or rules contained in the active policy. Both policy types have three categoriesof alerts: informational, program, and network.To learn how to respond to specific alerts, see Appendix A,“Alertreference,” starting on page 150.Informational alertsInformational alerts tell you that Endpoint Security has blocked a communication thatdid not fit your security settings.Informational alerts don’t require a decision from you. By clicking the OK button at thebottom of the alert, you close the alert box, but you don’t allow anything into yourcomputer.Program alertsProgram alerts ask you if you want to allow a program to access the Internet or localnetwork, or to act as a server. Program alerts require a Yes or No response. The mostcommon types of Program alerts are the New Program alert and Repeat Program alert.By clicking the Yes button, you grant permission to the program. By clicking the Nobutton, you deny permission to the program.New Network alertsNew Network alerts occur when you connect to any network--be it a wireless homenetwork, a business LAN, or your ISP’s network.If you’re on a home or local network, New Network alerts let you instantly configureEndpoint Security to allow you to share resources with the network.About event loggingBy default, Endpoint Security creates a log entry every time traffic is blocked, whetheran alert is displayed or not. Log entries record the traffic source and destination, ports,protocols, and other details. The information is recorded to a text file namedUser Guide for Check Point Endpoint Security client 139

Chapter 11: Alerts and LogsAbout event loggingZALOG.txt, stored in the Internet Logs folder. Every 60 days, the log file is archived toa dated file, so that it doesn’t become too large.You can choose to prevent specific categories of events from being logged for example,you may want to create log entries only for firewall alerts, or suppress entries for aparticular type of Program alert.User Guide for Check Point Endpoint Security client 140

Chapter 11: Alerts and LogsSetting the alert event levelSetting basic alert and log optionsBasic alert and log options let you specify the type of event for which Endpoint Securitydisplays an alert and for which events it creates a log entry.Setting the alert event levelThe alert events Shown control, in the Main tab of Alerts & Logs, lets you control thedisplay of alerts by rating. Program alerts are always displayed, because they ask you todecide whether to grant permission.To set the alert event level:1. Select Alerts & Logs|Main.2. In the alert events Shown area, select the desired setting.HIGHMEDOFFDisplays an alert for every security event that occurs, both high-ratedand medium-rated.Displays only high-rated alerts, which are most likely a result of hackeractivity.Displays Program alerts only. Informational alerts are not displayed.Setting event and program logging optionsUse the Event Logging and Program Logging areas to choose what types ofinformational alerts and program alerts will be logged.To enable or disable event logging and program logging:1. Select Alerts & Logs|Main.2. In the Event Logging area, select the desired setting.OnOffCreates a log entry for all events.No events are logged.3. In the Program Logging area, specify the log level.HighMedOffCreates a log entry for all program alerts.Creates a log entry for high-rated program alerts only.No program events are logged.User Guide for Check Point Endpoint Security client 141

Chapter 11: Alerts and LogsShowing or hiding firewall alertsShowing or hiding specific alertsYou can specify whether you want to be alerted to all security and program events, or ifyou only want to be notified of events that are likely a result of hacker activity.Showing or hiding firewall alertsThe alert events tab gives you more detailed control of alert display by allowing you tospecify for which types of blocked traffic Firewall and Program alerts are displayed.To show or hide firewall or program alerts:1. Select Alerts & Logs|Main, then click Advanced.The Alert & Log Settings dialog appears.2. Select the Alert Events tab.3. In the Alert column, select the type of blocked traffic for which Endpoint Securityshould display an alert.4. Click Apply to save your changes.Enabling system tray alertsWhen you choose to hide some or all informational alerts, Endpoint Security can stillkeep you aware of those alerts by showing a small alert icon in the system tray.To enable system tray alerts:1. Select Alerts & Logs|Main.2. Click Advanced, then click the System Tray Alert tab.3. Select the Enable system tray alert icon check box.User Guide for Check Point Endpoint Security client 142

Chapter 11: Alerts and LogsFormatting log appearanceSetting event and program log optionsYou can specify whether Endpoint Security keeps record of security and program eventsby enabling or disabling logging for each type of alert.Formatting log appearanceUse these controls to determine the field separator for your text log files.To format log entries:1. Select Alerts & Logs, then click Advanced.The Advanced Alerts and Log Settings dialog appears.2. Select the Log Control tab.3. In the Log Archive Appearance area, select the format to be used for logs.TabCommaSemicolonSelect Tab to separate fields with a tab character.Select Comma to separate fields with a comma.Select Semicolon to separate log fields with a semicolon.Customizing event loggingBy default, Endpoint Security creates a log entry when a high-rated firewall eventoccurs. You can customize Firewall alert logging by suppressing or allowing log entriesfor specific security events, such as MailSafe quarantined attachments, Blocked non-IPpackets, or Lock violations.To create or suppress log entries based on event type:1. Select Alerts & Logs|Main.2. Click Advanced.The Advanced Alerts and Logs dialog box appears.3. Select Alert Events.4. In the Log column, select the type of event for which Endpoint Security shouldcreate a log entry.5. Click Apply to save your changes.6. Click OK to close the Alert & Log Settings dialog.Customizing program loggingBy default, Endpoint Security creates a log entry when any type of Program alert occurs.You can customize Program alert logging by suppressing log entries for specificUser Guide for Check Point Endpoint Security client 143

Chapter 11: Alerts and LogsViewing log entriesProgram alert types, such as New Program alerts, Repeat Program alerts, or ServerProgram alerts.To create or suppress log entries based on event type:1. Select Alerts & Logs|Main.2. In the Program Logging area, click Custom.3. In the Program Logs column, select the type of event for which Endpoint Securityshould create a log entry.4. Click Apply to save your changes.5. Click OK to close the Alert & Log Settings dialog.Viewing log entriesYou can view log entries two ways: in a text file using a text editor, or in the Log Viewer.Although the format each type of log differs slightly, the general information containedin the log is the same.To view the current log in the Log Viewer:1. Select Alerts & Logs|Log Viewer.2. Select the number of alerts to display (from 1 to 99) in the alerts list.You can sort the list by any field by clicking the column header. The arrow (^) next tothe header name indicates the sort order. Click the same header again to reverse thesort order.3. Click a log entry to view Log entry details.User Guide for Check Point Endpoint Security client 144

Chapter 11: Alerts and LogsViewing log entriesLog Viewer fieldsAt the top of the Log Viewer panel, the Alert Type drop down list allows you to vieweither Program or Firewall alerts..Column HeadingRatingDate / TimeTypeProtocolProgramSource IPDestination IPDirectionAction TakenCountSource DNSDestination DNSPolicyRuleDescriptionEach alert is rated critical, high, or medium. Critical-rated and Highratedalerts are those likely to have been caused by hacker activity.Medium-rated alerts are likely to have been caused by unwanted butharmless network traffic.The date and time the alert occurred.The type of alert: Firewall, Program, Malicious Code Detection, LockEnabled, Scan, Update, or Treat.At the top of the Log Viewer panel, in the Alert Type drop-down listchoose Firewall to view the Protocol column.Identifies the protocol used by the traffic that caused the alert condition.The name of the program attempting to send or receive data.(Applies only to Program alerts).The IP address of the computer that sent the traffic that EndpointSecurity blocked.The address of the computer the blocked traffic was sent to.The direction of the blocked traffic. “Incoming” means the trafficwas sent to your computer. “Outgoing” means the traffic was sentfrom your computer.How the traffic was handled by Endpoint Security.The number of times an alert of the same type, with the samesource, destination, and protocol, occurred during a single session.The domain name of the computer that sent the traffic that causedthe alert.The domain name of the intended addressee of the traffic thatcaused the alert.The name of the policy containing the security setting or rule thatcaused the alert. Endpoint Security recognizes three policy types:personal, enterprise, and disconnected.See “Using the Policies panel,” on page 137, for information aboutviewing Endpoint Security’s currently active policies.At the top of the Log Viewer panel, in the Alert Type drop-down listchoose Firewall to view the Rule column.When an alert was caused by conditions specified in a classic firewallrule, this column contains the name of the rule.Table 11-1: Log Viewer FieldsUser Guide for Check Point Endpoint Security client 145

Chapter 11: Alerts and LogsViewing the text logViewing the text logBy default, alerts generated by Endpoint Security are logged in the file, ZAlog.txt. If youare using Windows95, Windows98 or Windows Me, the file is located in the followingfolder: (x):\Windows\Internet Logs. If you are using Windows NT or Windows 2000,the file is located in the following folder: (x):\Winnt\Internet Logs.To view the current log as a text file:1. Select Alerts & Logs|Main.2. Click Advanced.The Advanced Alerts & Log Settings dialog box opens.User Guide for Check Point Endpoint Security client 146

Chapter 11: Alerts and LogsArchiving log entries3. Select the Log Control tab.In the Log Archive Location area, click View Log.Text log fieldsLog entries contain the fields described in the table below.Field Description ExampleType The type of event recorded. FWINDate The date of the alert, in format yyyy/mm/dd 2001/12/31(December31, 2001)TimeThe local time of the alert. This field also displaysthe hours difference between local andGreenwich Mean Time (GMT).17:48:00 -8:00GMT (5:48PM, eight hours earlierthan Greenwich MeanTime. GMT would be01:48.)SourceThe IP address of the computer that sent theblocked packet, and the port used; OR theprogram on your computer that requestedaccess permission.192.168.1.1:7138 (FWevents) Microsoft Outlook(PE eDestinationArchiving log entriesAt regular intervals, the contents of ZAlog.txt are archived to a date-stamped file, forexample, ZALog2005.09.12.txt (for September 12, 2005). This prevents ZAlog.txt frombecoming too large.To view archived log files, use Windows Explorer to browse to the directory where yourlogs are stored.To set archive frequency:1. Select Alerts & Logs|Main, then click Advanced.2. Select the Log Control tab.The IP address and port of the computer theblocked packet was addressed to.Transport The protocol (packet type) involved. UDPTable 11-2: Text log fields3. Select the Log Archive Frequency check box.192.168.1.101:0If the Log Archive Frequency check box is not selected, Endpoint Securitycontinues to log events for display in the Log Viewer tab, but does not archivethem to the ZAlog.txt file.User Guide for Check Point Endpoint Security client 147

Chapter 11: Alerts and LogsArchiving log entries4. In the Log Frequency area, specify the log frequency (between 1 and 60 days), thenclick Apply.Specifying the archive locationThe ZAlog.txt file and all archived log files are stored in the same directory.To change the log and archive location:1. Select Alerts & Logs|Main.2. Click Advanced.The Advanced Alerts & Log Settings dialog box opens.3. Select the Log Control tab.4. In the Log Archive Location area, click Browse.Select a location for the log and archive files.User Guide for Check Point Endpoint Security client 148

Chapter 11: Alerts and LogsArchiving log entriesUsing Alert AdvisorCheck Point AlertAdvisor is an online utility that enables you to instantly analyze thepossible causes of an alert, and helps you decide how to respond to a Program alert. Touse AlertAdvisor, click the More Info button in an alert pop-up. Endpoint Securitysends information about your alert to AlertAdvisor. AlertAdvisor returns an article thatexplains the alert and gives you advice on what, if anything, you need to do to ensureyour security.To submit an alert to AlertAdvisor:1. Select Alerts & Logs|Log Viewer.2. Right-click anywhere in the alert record you want to submit.3. Select More Info from the shortcut menu.User Guide for Check Point Endpoint Security client 149

AppendixAlert referenceAThis chapter provides detailed information about the varioustypes of alerts you may see while using Endpoint Security.Use this chapter to find out why alerts happen, whatthey mean, and what to do about them.Topics:• “Informational alerts,” on page 151• “Program alerts,” on page 156• “Instant Messaging alerts,” on page 165150

Appendix A: Alert referenceFirewall alert/ProtectedInformational alertsInformational alerts tell you that Endpoint Security has blocked a communication thatdid not fit your security settings. They do not require a decision from you.Firewall alert/ProtectedFirewall alerts are the most common type of informational alert. Firewall alerts informyou that the Endpoint Security firewall has blocked traffic based on port and protocolrestrictions or other firewall rules.Why these alerts occurFirewall alerts with a red band at the top indicate high-rated alerts. High-rated alertsoften occur as a result of hacker activity.Firewall alerts with an orange band at the top indicate medium-rated alerts. Mediumratedalerts are likely the result of harmless network traffic, for example, if your ISP isusing ping to verify that you’re still connected. However, they also can be caused by ahacker trying to find unprotected ports on your computer.What you should doIf you’re on a home or business network, and your Trusted Zone security is set to high,normal LAN traffic such as NetBIOS broadcasts may generate firewall alerts. Trylowering Trusted Zone security to medium.By default, Endpoint Security only displays high-rated firewall alerts. If your defaultshave been changed, you may see a lot of medium-rated alerts. Try setting your alertdisplay settings to medium.If you a receiving a large number of firewall alerts, and you are working on a homenetwork or business LAN, it is possible that normal network communications are beingblocked. If this is happening, you can eliminate the alerts by placing your network in theTrusted Zone.How to see fewer of these alertsRepeated alerts may indicate that a resource you want to trust is trying repeatedly tocontact you. If you are receiving a lot of firewall alerts, but you don’t suspect you’reunder attack, try the following troubleshooting steps:• Determine if the source of the alerts should be trusted.• Submit repeated alerts to AlertAdvisor to determine the source IPaddress that caused the alerts.• If the alerts were caused by a source you want to trust, add it to theTrusted Zone.• Determine if your Internet Service Provider is sending you “heartbeat” messages.• Try the procedures suggested for managing ISP heartbeat. See“Allowing ISP Heartbeat messages,” on page 177.User Guide for Check Point Endpoint Security client 151

Appendix A: Alert referenceMailSafe alertMailSafe alertMailSafe alerts let you know that Endpoint Security has quarantined a potentiallydangerous outgoing e-mail message.Why these alerts occurA violation of Outbound MailSafe protection settings, such as an e-mail that has toomany recipients, or too many e-mails within a short time, can cause a MailSafe alert tooccur.What you should do• Examine the alert carefully. Does the activity noted describe actions you wererecently performing? For example, did you recently attempt to send out a legitimatemailing to a large number of recipients, or to send many e-mails in a short period oftime? If so, you may want to modify your Outbound MailSafe settings to betteraccommodate your needs. See “Outbound MailSafe protection,” on page 113.• Verify that your e-mail address is listed on the approved sender’s list. If you selectedthe if the sender’s e-mail is not in this list option, and if your e-mail either is noton that list or is misspelled, add your valid e-mail address to the list.Blocked Program alertBlocked Program alerts tell you that Endpoint Security has prevented an application onyour computer from accessing the Internet or Trusted Zone resources. By clicking OK,you’re not allowing the program access, just acknowledging that you saw the alert.Why these alerts occurBlocked Program alerts occur when a program tries to access the Internet or theTrusted Zone, even though you have explicitly denied it permission to do so.What you should doIf the program that was blocked is one that you want to have access to the InternetZone or Trusted Zone, use the Programs tab to give the program access permission.User Guide for Check Point Endpoint Security client 152

Appendix A: Alert referenceInternet Lock alertHow to see fewer of these alertsTo turn off Blocked Program alerts, do either of the following:• When you see a Blocked Program alert, select Do not show this dialog againbefore clicking OK. From then on, all Blocked Program alerts will be hidden. Notethat this will not affect New Program, Repeat Program, or Server Program alerts.• In the Program Control panel, click Advanced to access the Alerts & Functionalitytab, then clear the check box labeled Show alert when Internet access is denied.Turning off Blocked Program alerts does not affect your level of security.Internet Lock alertInternet Lock alerts let you know that Endpoint Security has blocked incoming oroutgoing traffic because the Internet Lock is engaged. By clicking OK, you’re notopening the lock; you’re just acknowledging that you’re seen the alert.If the Internet Lock has been engaged automatically (or accidentally), open it to preventfurther alerts. See “Understanding Zones,” on page 9.Why these alerts occurThese alerts occur only when the Internet Lock is engaged.What you should doClick OK to close the alert pop-up.If the Internet Lock has been engaged automatically (or accidentally), open it to preventfurther alerts. See “Understanding Zones,” on page 9.You may want to give certain programs (for example, your browser) permission tobypass the Internet Lock, so that you can continue to perform some basic functionsunder the lock's higher security. See “Granting pass-lock permission to a program,” onpage 77.How to see fewer of these alertsIf you are receiving a lot of Internet Lock alerts, it is possible that your AutomaticInternet Lock settings are engaging the Internet Lock after every brief period ofinactivity.To reduce the number of alerts, you can do either of the following:• Turn off the Automatic Internet Lock.• Increase the interval of inactivity required to engage the Automatic Internet Lock toengage. For more information, see “Enabling the automatic lock,” on page 71.User Guide for Check Point Endpoint Security client 153

Appendix A: Alert referenceEndpoint Security Policy Received alertEndpoint Security Policy Received alertThis alert tells you that Endpoint Security has received a new enterprise policy fromEndpoint Security Server.Why these alerts occurThese alerts occur when your system administrator updates your enterprise policy anddeploys that policy to your computer from Endpoint Security Server.What you should doClick OK to close the alert box. By doing this, you're not allowing any traffic in or out ofyour computer.How you can see fewer of these alertsIt is unusual to see repeated Endpoint Security Policy Received alerts. If you are seeingsuch alerts, contact your system administrator, or disable alert display in the Main tab ofthe Alerts & Logs panel.Compliance alertCompliance alerts occur when Endpoint Security server operating in conjunction withthe Endpoint Security client determines that your computer is non-compliant withenterprise security requirements. Depending on the type of non-compliance, your abilityto access the corporate network may be restricted or even terminated.Why these alerts appearThese alerts appear when you are trying to connect to your corporate network and youare out of compliance with the enterprise policy stored in Endpoint Security Server.What you should doCompliance alerts, in conjunction with special Web pages, will tell you what you need todo to come into compliance with security policy settings.• If the non-compliant condition does not require immediate remediation, your accessto the corporate network may be restricted: You can continue to access somecorporate network resources, but you should perform the steps necessary to makeyour computer compliant as soon as possible.• If the non-compliant condition requires immediate remediation, your access to thecorporate network may be terminated. In this case, you may only be able to accessthe Web page that tells you how to make your computer compliant with corporatesecurity requirements.Click on the link in the alert or corresponding Web page to begin the remediationprocess. Remediation generally involves installing a newer version of Endpoint Securityor approved antivirus software. If you see a Compliance alert and you are unsure how toUser Guide for Check Point Endpoint Security client 154

Appendix A: Alert referenceConnected/Disconnecting alertget make your computer into compliance with corporate security, consult your systemadministrator.Your administrator has the option of configuring Endpoint Security toautomatically install any applications required to bring your computer intocompliance with corporate guidelines. In some cases, this might result in aprogram being installed on your computer without warning, and could require areboot of your computer. If you experience an automatic system reboot or if aprogram attempts to install itself on your computer, consult your systemadministrator.How you can see fewer of these alertsYou can avoid seeing Compliance alerts by keeping your computer is in compliance withthe security policy established by your administrator.Connected/Disconnecting alertThese alerts tell you when Endpoint Security logs into, or logs off from, EndpointSecurity Server.Why these alerts occurThese alerts are strictly informational. They inform you that Endpoint Security clienthas logged into Endpoint Security Server.What you should doWhen you see this alert, there's nothing you have to do to ensure your security. ClickOK to dismiss the alert box. By doing this, you're not allowing any traffic in or out ofyour computer.However, if Endpoint Security repeatedly disconnects from Endpoint Security Server,and you think this might be due to a network problem, contact your systemadministrator.How you can see fewer of these alertsIn an Endpoint Security environment, it is normal to see a Protected alert when youstart your computer or start Endpoint Security. To avoid see any informational alerts,turn off alerts in the Main tab of the Alerts & Logs panel.User Guide for Check Point Endpoint Security client 155

Appendix A: Alert referenceNew Program alertProgram alertsMost of the time, you’re likely to see program alerts when you’re actually using aprogram. For example, if you’ve just installed Endpoint Security, and you immediatelyopen Microsoft Outlook and try to send an e-mail message, you’ll get a program alertasking if you want Outlook to have Internet access. However, program alerts can alsooccur if a Trojan horse or worm on your computer is trying to spread.New Program alertNew Program alerts enable you to set access permission for program that has not askedfor Internet Zone or Trusted Zone access before. If you click Yes, the program isallowed access. If you click No, the program is denied access.Why these alerts occurNew Program alerts occur when a program on your computer tries to initiate aconnection with a computer in the Internet Zone or Trusted Zone, and that programhas not already received access permission from you.As you begin to work with Endpoint Security, you will probably see one or more NewProgram Alerts.What you should doClick Yes or No in the alert pop-up after answering these questions:• Did you just launch a program or process that would reasonably require permission?If so, it’s probably safe to click Yes. If not, continue.• Do you recognize the name of the program in the Alert pop-up? If so, does it makesense for the program to need permission? If so, it’s probably safe to click Yes. If not,or if you’re not sure, continue.• Click the More Info button in the alert box. This submits your alert information (forexample, the name of the program and the address it was trying to reach) toAlertAdvisor, which then displays a Web page with information about the alert andthe program. Use the AlertAdvisor information to help you decide if it’s safe toanswer Yes.If your browser does not have permission to access the Internet, you will be reroutedto this help file. To access AlertAdvisor, give your browser permission toaccess the Internet.• If you’re really not sure what to do, it’s best to click No. You can always grantpermission later by going to the Programs tab.User Guide for Check Point Endpoint Security client 156

Appendix A: Alert referenceRepeat Program alertHow to see fewer of these alertsIt's normal to see several New Program alerts soon after installing Endpoint Security.As you assign permissions to each new program, the number of alerts you see willdecrease. To keep from seeing Repeat Program alerts, select Remember this answer thenext time I use this program before clicking Yes or No.Repeat Program alertRepeat Program alerts occur when a program on your computer tries to initiate aconnection with a computer in the Internet Zone or Trusted Zone, and that programhas asked for permission before.Why these alerts occurIf you respond Yes or No to a New Program alert without checking Remember thisanswer the next time I use this program, you’ll see a Repeat Program alert the nexttime the program asks for access permission.What you should doYou should respond to Repeat Program alerts in the same way you would to NewProgram alerts. See “New Program alert,” on page 156.How to see fewer of these alertsTo keep from seeing Repeat Program alerts, select Remember this answer the nexttime I use this program before clicking Yes or No in any New Program or RepeatProgram alert. This sets the permission for the program to Allow or Block in thePrograms tab.Changed Program alertChanged Program alerts warn you that a program that has asked for access permissionor server permission before has changed somehow. If you click Yes, the changedprogram is allowed access. If you click No, the program is denied access.Why these alerts occurChanged Program alerts can occur if you have updated a program since the last time itaccessed the Internet. However, they can also occur if a hacker has somehow managedto tamper with the program.Remember, some programs are configured to access the Internet regularly to look foravailable updates. Consult the documentation for your programs, or refer to the supportWeb sites of their vendors, to find out if they have automatic update functionality.What you should doTo determine how to respond to a Changed Program alert, consider these questions:• Did you (or, if you’re in a business environment, your systems administrator) recentlyupgrade the program that is asking for permission?User Guide for Check Point Endpoint Security client 157

Appendix A: Alert referenceProgram Component alert• Does it make sense for the program to need permission?If you can answer “yes” to both questions, it’s probably safe to click Yes.If you're not sure, it's safest to answer No. You can always grant permission laterby going to the Programs tab. See “Setting permissions for specific programs,”on page 74.How to see fewer of these alertsChanged Program alerts are always displayed because they require a Yes or No responsefrom you. If you are using a program whose checksum changes frequently, you canavoid seeing numerous alerts by having Endpoint Security check the program’s filename only. “Adding a program to the programs list,” on page 76.Program Component alertUse the Program Component alert to allow or deny Internet access to a program that isusing one or more components that haven't yet been secured by Endpoint Security. Thishelps protect you from hackers who try to use altered or faked components to getaround your program control restrictions.By clicking Yes, you allow the program to access the Internet while using the new orchanged components. By clicking No, you prevent the program from accessing theInternet while using those components.Why these alerts occurProgram Component alerts occur when a program accessing the Internet or localnetwork is using one or more components that Endpoint Security has not yet secured,or that has changed since it was secured.Endpoint Security automatically secures the components that a program is using at thetime you grant it access permission. This prevents you from seeing a Component alertfor every component loaded by your browser. To learn how Endpoint Security securesprogram components, see the “Program authentication,” on page 68.What you should doThe proper response to a Program Component alert depends on your situation.Consider the following questions:• Are any of the following true?• You just installed or reinstalled Endpoint Security.• You recently updated the application that is loading the component(For the application name, look under Technical Information in thealert pop-up.)• The application that is loading the component ha an automatic updatefunction.User Guide for Check Point Endpoint Security client 158

Appendix A: Alert referenceServer Program alert• Someone else (for example, a systems administrator at your workplace)may have updated a program on your computer without yourknowledge.• Are you actively using the application that loaded the component?If you can answer “yes” to both questions, it is likely that Endpoint Security hasdetected legitimate components that your browser or other programs need to use. It isprobably safe to answer Yes to the Program Component alert.By clicking Yes, you allow the program to access the Internet while using the new orchanged components. If you cannot answer yes both questions, or if you feel unsureabout the component for any reason, it is safest to answer No.By clicking No, you prevent the program from accessing the Internet while using thosecomponents.If you're not sure what to do, or if you decide to answer No, investigate thecomponent to determine if it is safe.How to see fewer of these alertsYou may receive a large number of component alerts if you raised the ProgramAuthentication level to high soon after installing Endpoint Security. With authenticationset to High, Endpoint Security cannot automatically secure the large number of DLLsand other components commonly used by browsers and other programs.To reduce the number of alerts, lower the authentication level to medium for the firstfew days after installing Endpoint Security.If you have been using Endpoint Security for more than a few days, it is very rare to seelarge numbers of program alerts.Server Program alertServer Program alerts enable you to set server permission for a program on yourcomputer.Why these alerts occurServer Program alerts occur when a program on your computer wants serverpermission for either the Internet Zone or Trusted Zone, and that program has notalready received server permission from you.Relatively few programs on your computer will require server permission. Somecommon types of programs that do are:• Chat• Internet Call WaitingUser Guide for Check Point Endpoint Security client 159

Appendix A: Alert referenceServer Program alert• Music file sharing (such as Napster)• Streaming Media (such as RealPlayer)• Voice-over-Internet• Web meetingIf you are using the types of programs described above that require server permission tooperate properly, grant permission before you start using the program. See “Granting aprogram permission to act as a server,” on page 77.If your browser does not have permission to access the Internet, you will be reroutedto the online help. To access AlertAdvisor, give your browser permission toaccess the Internet. See “Granting a program permission to access the Internet,”on page 76.What you should doBefore responding to the Server Program alert, consider the following:• Did you just launch a program or process that would reasonably require permission?If so, it’s probably safe to click Yes. If not, continue.• Do you recognize the name of the program in the alert pop-up, and if so, does itmake sense for the program to need permission? If so, it’s probably safe to click Yes.• Click the More Info button in the alert box. This submits your alert information (forexample, the name of the program and the address it was trying to reach) toAlertAdvisor, which then displays a Web page with information about the alert andthe program. Use the AlertAdvisor information to help you decide if it’s safe toanswer Yes. For more information, see “Using Alert Advisor,” on page 149.• If you are still not certain that the program is legitimate and needs server permission,it is safest to answer No. If it becomes necessary, you can give the program serverpermission later by using the Programs tab. See “Granting a program permission toact as a server,” on page 77.User Guide for Check Point Endpoint Security client 160

Appendix A: Alert referenceAdvanced Program alertHow to see fewer of these alertsIf you are using the types of programs described above that require server permission tooperate properly, use the Programs tab in Endpoint Security to grant permission beforeyou start using the program.Advanced Program alertAdvanced Program alerts are similar to other Program alerts (New Program, RepeatProgram, and Changed Program)--they inform you that a program is attempting toaccess the network.However, they differ from other Program alerts in that the program is attempting to useanother program to connect to the Internet, or is attempting to manipulate anotherprogram’s functionality.Why these alerts occurAdvanced Program alerts occur in two situations: when a program on your computertries to initiate a connection with a computer in the Internet Zone or Trusted Zone byinstructing another program to connect; or when a program attempts to hijack theprocesses of another program by calling the OpenProcess function.There are some legitimate programs associated with your operating system that mayrequire access to another program. For example, if you were using Windows TaskManager to shutdown Internet Explorer, Windows Task Manager would need to call theOpenProcess function on the Internet Explorer program in order to shut it down.What you should doHow you should respond to an Advanced Program alert depends upon the cause of thealert. If the Advanced Program alert was caused by the OpenProcess function beingcalled, you should determine whether the function was called by a legitimate program orby a malicious one. Verify that the program cited in the alert is one you trust to carry outthis function. For example, if you were attempting to shut down a program usingWindows Task Manager when you received the Advanced Program alert, it is probablysafe to answer Yes. Similarly, if the alert was caused by a program using anotherprogram to access the Internet and that program routinely requests such permission, isprobably safe to answer Yes. If you are unsure as to the cause of the alert or theexpected behavior of the program initiating the request, it is safest to answer No. Afterdenying advanced permission to the program, perform an Internet search on theUser Guide for Check Point Endpoint Security client 161

Appendix A: Alert referenceAutomatic VPN Configuration alertprogram’s file name. If the program is malicious, it is likely that information about it isavailable, including how to remove it from your computer.How to see fewer of these alertsIt is unusual to see a large number of Advanced Program alerts. If you receive repeatedalerts, research the program name or names and consider either removing the programfrom your computer or providing the program with the necessary access rights.Automatic VPN Configuration alertAutomatic VPN Configuration alerts occur when Endpoint Security detects VPNactivity. Depending upon the type of VPN activity detected, and whether EndpointSecurity was able to configure your VPN connection automatically, you may see one ofthree Automatic VPN Configuration alerts.Why these alerts occurAutomatic VPN Configuration alerts occur when Endpoint Security detects VPNactivity that it is not configured to allow.What you should doHow you should respond to an Automatic VPN Configuration alert depends uponwhich Automatic VPN Configuration alert you encounter, whether you are runningVPN software or not, and whether you want to configure Endpoint Security to allowyour VPN connection• If you are running VPN software on your computer and you want to configure theconnection, select either:Configure Endpoint Security to support this VPN connection, orI am running VPN software and would like to configure Endpoint Security tosupport it• If are running VPN software but do not want Endpoint Security to configure yourconnection, select Do not configure Endpoint Security to support this VPNconnection.• If you are not running VPN software, select I am not running VPN software.How to see fewer of these alertsIf you are running VPN software, the only way to see fewer of these alerts is to properlyconfigure your Endpoint Security client to allow your VPN software and its requiredresources. See, “Configuring your VPN connection manually,” on page 20.Manual Action Required alertA Manual Action Required alert informs you that further steps must be taken beforeEndpoint Security is properly configured to support your VPN connection.User Guide for Check Point Endpoint Security client 162

Appendix A: Alert referenceNew Network alertWhy these alerts occurA Manual Action Required alert occurs when Endpoint Security is unable to configureyour VPN connection automatically, or if further manual changes are required beforeautomatic configuration can be completed.What you should doManual Action Required alerts do not require a response from you. To configure VPNconnection manually, see “Configuring your VPN connection manually,” on page 20and follow the instructions for manual configuration.How to see fewer of these alertsIt is unusual for you to see many Manual Action Required alerts. If you do see multiplealerts, either perform the required steps to properly configure your Endpoint Security tosupport your VPN connection, or remove the VPN software from your computer.New Network alertA New Network alert appears when Endpoint Security detects that you're connected toa network you haven't seen before. You can use the alert pop-up to enable file andprinter sharing with that network. New Network alerts occur when you connect to anynetwork--be it a wireless home network, a business LAN, or your ISP's network.The first time you use Endpoint Security, you will almost certainly see a New Networkalert. Don't worry! This alert is a convenience tool designed to help you configureEndpoint Security.Why these alerts occurNew Network alerts occur when you connect to any network--be it a wireless homenetwork, a business LAN, or your ISP's network.By default, Endpoint Security versions 3.5 and above display the NetworkConfiguration Wizard, rather than the New Network alert, when a network is detected.What you should doHow you respond to a New Network alert depends on your particular networksituation.If you are connected to a home or business local network and you want to shareresources with the other computers on the network, put the network in the TrustedZone.To add the new network to the Trusted Zone:1. In the New Network alert pop-up, type a name for the network (for example “HomeNW”) in the Name box.2. Select Trusted Zone from the Zone drop-down list.3. Click OK.Use caution if Endpoint Security detects a wireless network. It is possible for yourwireless network adapter to pick up a network other than your own. Be sure that the IPUser Guide for Check Point Endpoint Security client 163

Appendix A: Alert referenceNew Network alertaddress displayed in the New Network alert is your network's IP address before you addit to the Trusted Zone.If you are not certain what network Endpoint Security has detected, write downthe IP address displayed in the alert box. Then consult your home networkdocumentation, systems administrator, or ISP to determine what network it is.How to see fewer of these alertsIt is unusual to receive a lot of New Network alerts.User Guide for Check Point Endpoint Security client 164

Appendix A: Alert referenceNew Network alertInstant Messaging alertsThis section provides an explanation of the types of alert messages that may appearduring an instant messaging session that is protected by Endpoint Security.The table below lists the alert messages that can appear when using Endpoint Security.Consult the table for an explanation of why these alerts appear and to determinewhether any action is required on your part. All alert messages appear in brackets [ ] inyour instant messaging window.Alert textSession not encrypted because [contact's IMID] disabled encryptionSession not encrypted because [contact's IMID] is not protected by Endpoint SecurityLink removedSession encryptedPotentially harmful content was removedfrom this messageYour message was blocked because you arenot on [contact's IM ID]'s contact listA file transfer on [contact's IM ID]'s PC wasblockedVideo transmission on [contact's IM ID]'s PCwas blockedPotentially harmful formatting or scriptingwas removed from your last messageA potentially harmful link was removed fromyour last messageExplanationThis alert appears when you have encryptionenabled, but your contact has disabledencryption.This alert appears in your instant messagingwindow when you are having a conversationwith a contact who is not using EndpointSecurity.This alert appears in the message recipients’swindow in place of a removed link.This alert appears at the beginning of anencrypted instant messaging conversation.This alert is appended to the filtered message.This alert appears when you attempt to senda message to someone who has SpamBlocker enabled, but who does not have youon his or her contact list.This alert appears when you attempt to senda file to a contact, but the contact hasblocked file transfers in Endpoint Security.This alert appears when a you attempt totransmit video to a contact, but the contacthas blocked video transmission.This alert appears when your contact set theInbound protection option for Tags to Block,and you attempt to send a message to a contactthat includes formatting or scripting.This alert appears when your contact set theInbound protection option for Active toBlock, and you attempt to send a message toa contact that includes an executable link.Table A-1: IM alert messagesUser Guide for Check Point Endpoint Security client 165

AppendixKeyboard shortcutsBMany features of Endpoint Security are accessible usingkeyboard shortcuts.• “Navigation shortcuts,” on page 167• “Global function shortcuts,” on page 168• “Dialog box commands,” on page 169• “Button shortcuts,” on page 170User Guide for Check Point Endpoint Security client 166

Appendix B:Navigation shortcutsUse these keystrokes to navigate through Endpoint Security's panels, Tabs, and dialogboxes. Use F6 to reach the navigation element you want. Then use UP, DOWN, LEFT,and RIGHT arrows to reach the selection you want within that group.For example:To reach the Zones tab of the Firewall panel:1. Press F6 until the left menu bar is selected.2. Press the DOWN arrow until the Firewall panel is selected3. Press F6 until the tabs are selected.4. Press UP, DOWN, LEFT, or RIGHT until the Zones tab is selected.KeystrokeF1F6TABUP and DOWN arrowsLEFT and RIGHT arrowsALT+SPACEBARFunctionOpens online help for thecurrent panel.Navigates through interfaceareas in the following order:panel selection, TAB selection,panel area, Stop/Lockcontrols.Navigates through the interfaceareas in the same orderas F6. However, pressingTab when the panel area isactive also navigatesthrough the groups of controlswithin the panel.Navigates through individualcontrols within a groupof controls.Also navigate through individualcontrols within agroup of controls. In listviews, controls horizontalscrolling.Opens the Windows controlmenu (maximize, minimize,close).Table B-1: Navigation shortcutsUser Guide for Check Point Endpoint Security client 167

Appendix B:Global function shortcutsUse the following keystrokes to activate functions from multiple locations in theinterface. Note that some keystrokes may have other functions in specific panels. Thosecases are listed under Button Shortcuts, below.KeystrokeALT+TALT+DALT+CALT+UALT+AALT+DOWN ARROWSHIFT+F10ESCENTERALT+PDeleteALT+F4ALT+AALT+RALT+EALT+MFunctionHides and displays explanatory text.Restores defaults settings.Opens a Custom dialog box, where one is available.Opens a second Custom dialog box, where two Custom buttonsare available (for example, in the Main tab of the ProgramControl panel).Opens an advanced dialog box, where one is available.Opens the active drop-down list box. In list views, opens theleft-click shortcut menu if one is available.In list views, opens the right-click shortcut menu if one isavailable.Equivalent to clicking a Cancel button.Equivalent to clicking the active button.Equivalent to clicking an Apply button.Removes a selected item from a list view.Shuts down Endpoint Security.Equivalent to clicking an Add button, where one is available.Equivalent to clicking a Remove buttonEquivalent to clicking an Edit button.Equivalent to clicking a More Info button, where one is available.Table B-2: Global shortcutsUser Guide for Check Point Endpoint Security client 168

Appendix B:Dialog box commandsUse the keystrokes below when a dialog box is open.KeystrokeTabSHIFT+TABCTRL+TABCTRL+SHIFT+TABALT+DOWN ARROWSPACEBARENTERESCFunctionActivates the next control in the dialog box.Activates the previous control in the dialogbox.Opens the next TAB in a multiple-TAB dialogbox.Opens the previous TAB in a multiple-TABdialog box.Opens the active drop-down list box.Clicks an active button. Selects/clears anactive check box.Same as clicking the active buttonSame as clicking the Cancel button.Table B-3: Dialog box shortcutsUser Guide for Check Point Endpoint Security client 169

Appendix B:Button shortcutsUse the keystrokes below to click available buttons in an active window.Panel Tab Keystroke Equivalent to clickingOverview Status Tab ALT + R TutorialOverview Product Info ALT + I Change LicenseOverview Preferences ALT + P Set PasswordOverview Preferences ALT + O Log In/Log OutFirewall Zones ALT +A AddFirewall Zones ALT + R RemoveFirewall Zones ALT + E EditFirewall Zones ALT + P ApplyProgram Control Main ALT + C Program Control CustomProgram Control Main ALT + U Automatic Lock CustomProgram Control Main ALT + A AdvancedProgram Control Programs ALT + A AddProgram Control Programs ALT + O OptionsProgram Control Components ALT + M More infoAnti-spyware Main ALT + S Scan NowAnti-spyware Main ALT + U Update Now*Anti-spyware Main ALT + A Advanced Options*Anti-spyware Quarantine ALT + E DeleteAnti-spyware Quarantine ALT + R RemoveAnti-spyware Quarantine ALT + M More InfoE-mail Protection Attachments ALT + A AddE-mail Protection Attachments ALT +C Check AllE-mail Protection Attachments ALT + R Clear AllPrivacy Main ALT+C Cookie Control/CustomPrivacy Main ALT+U Ad Blocking/CustomPrivacy Main ALT+S Mobile Code Control/CustomPrivacy Cache Cleaner ALT+L Clean NowPrivacy Cache Cleaner ALT+C CustomTable B-4: Keystrokes for activating buttonsUser Guide for Check Point Endpoint Security client 170

Appendix B:Panel Tab Keystroke Equivalent to clickingPrivacyHard Drive ALT+OOKIE/MSNNetscapePrivacyHard Drive ALT+CCancelIE/MSNNetscapePrivacyHard Drive ALT+DReset to DefaultIE/MSNNetscape MainAlerts & Logs Main Alt + D Reset to DefaultAlerts & Logs Log Viewer Alt + M More InfoAlerts & Logs Log Viewer Alt + D Clear ListAlerts & Logs Log Viewer Alt + A Add to ZoneAlerts & Logs Log Control Alt + B BrowseAlerts & Logs Log Control Alt + E Delete LogTable B-4: Keystrokes for activating buttonsUser Guide for Check Point Endpoint Security client 171

AppendixTroubleshootingCThis chapter provides guidance for troubleshooting issuesyou may encounter while using Endpoint Security.Topics:• “VPN,” on page 173• “Networking,” on page 175• “Internet Connection,” on page 177User Guide for Check Point Endpoint Security client 172

Appendix C:VPNConfiguring Endpoint Security for VPN trafficIf you are having difficulty using VPN software with Endpoint Security, refer to thetable for troubleshooting tips provided in this section.If...You can't connect to your Virtual Private Network (VPN)You have created expert firewall rulesYou are using a supported VPN client and Endpoint Securitydoes not detect it automatically the first time you connectSee...“Configuring Endpoint Securityfor VPN traffic,” on page 173“VPN auto-configuration andexpert rules,” on page 173“Automatic VPN detectiondelay,” on page 173Table C-1: Troubleshooting VPN problemsConfiguring Endpoint Security for VPN trafficIf you cannot connect to your VPN, you may need to configure Endpoint Security toaccept traffic coming from your VPN.To configure Endpoint Security to allow VPN traffic:1. Add VPN-related network resources to the Trusted Zone.See “Adding to the Trusted Zone,” on page 33.2. Grant access permission to the VPN client and any other VPN-related programs onyour computer.See “Setting permissions for specific programs,” on page 74.3. Allow VPN protocols.See “Adding a VPN gateway and other resources to the Trusted Zone,” on page 21.VPN auto-configuration and expert rulesIf you have created expert firewall rules that block VPN protocols, Endpoint Securitywill not be able to automatically detect your VPN when you initiate a connection. Toconfigure your VPN connection, you will need to make sure that your VPN client andVPN-related components are in the Trusted Zone, and that they have permission toaccess the Internet. See “Configuring your VPN connection,” on page 20.Automatic VPN detection delayEndpoint Security periodically polls your computer to determine if supported VPNprotocols are engaged. Upon detection, Endpoint Security prompts you to configureyour connection automatically. If you have recently install a VPN client and have tried toconnect, Endpoint Security may not have detected your VPN configuration. If youprefer Endpoint Security to configure your connection automatically, you can wait tenUser Guide for Check Point Endpoint Security client 173

Appendix C:Automatic VPN detection delayminutes then, try connecting again. If you prefer to connect right away, you canconfigure your connection manually. See “Configuring your VPN connection,” onpage 20.User Guide for Check Point Endpoint Security client 174

Appendix C:Making your computer visible on your local networkNetworkingIf you are having difficulty connecting to your network or using networking services,refer to the table for troubleshooting tips provided in this section.If ...You can’t see the other computers in yourNetwork Neighborhood, or if they can’t seeyouYou can’t share files or printers over yourhome or local networkYour computer is on a Local Area Network(LAN) and takes a long time to start up whenEndpoint Security is installedSee...“Making your computer visible on your localnetwork,” on page 175“Sharing files and printers across a local network,”on page 176“Resolving a slow start up,” on page 176Table C-2: Troubleshooting network problemsMaking your computer visible on your local networkIf you can’t see the other computers on your local network, or if they can’t see yourcomputer, it is possible that Endpoint Security is blocking the NetBIOS trafficnecessary for Windows network visibility.To make your computer visible on the local network:1. Add the network subnet (or, in a small network, the IP address of each computeryou’re sharing with) to your Trusted Zone. See “Adding to the Trusted Zone,” onpage 33.2. Set the Trusted Zone security level to Medium, and the Internet Zone security levelto High. This allows trusted computers to access your shared files, but blocks allother machines from accessing them. See “Setting advanced security options,” onpage 29.Endpoint Security will detect your network automatically and display the NewNetwork alert. You can use the alert to add your network subnet to the TrustedZone. For more information, see “New Network and VPN alerts,” on page 12.User Guide for Check Point Endpoint Security client 175

Appendix C:Sharing files and printers across a local networkSharing files and printers across a local networkEndpoint Security enables you to quickly and easily share your computer so that thetrusted computers you’re networked with can access your shared resources, but Internetintruders can’t use your shares to compromise your system.To configure Endpoint Security for secure sharing:1. Add the network subnet (or, in a small network, the IP address of each computeryou’re sharing with) to your Trusted Zone. See “Adding to the Trusted Zone,” onpage 33.2. Set the Trusted Zone security level to Medium. This allows trusted computers toaccess your shared files. See “Choosing security levels,” on page 27.3. Set the Internet Zone security level to High. This makes your computer invisible tonon-trusted computers. See “Setting the security level for a Zone,” on page 27.Resolving a slow start upIf Endpoint Security is configured to load at startup, some users connected to the LANmay find that it takes several minutes for the startup process to finish.In most cases, this is because your computer needs access to your network’s DomainController to complete its startup and login process, and Endpoint Security is blockingaccess because the Controller has not been added to the Trusted Zone.To solve this problem, add the host name or IP address of your network’s DomainController to the Trusted Zone.User Guide for Check Point Endpoint Security client 176

Appendix C:Connecting to the Internet fails after installationInternet ConnectionIf you are having difficulty connecting to the Internet, refer to the table fortroubleshooting tips provided in this section.If...You cannot connect to the InternetYou can connect to the Internet but are disconnectedafter a short timeYour computer is an Internet ConnectionSharing (ICS) client and you can’t connect tothe InternetYour computer uses a proxy server to connectto the Internet and you can’t connect to theInternetSee...“Connecting to the Internet fails after installation,”on page 177“Allowing ISP Heartbeat messages,” onpage 177“Connecting through an ICS client,” onpage 178“Connecting through a proxy server,” onpage 179Table C-3: Troubleshooting Internet connection problemsConnecting to the Internet fails after installationIf you are unable to connect to the Internet after installing Endpoint Security, the firsttroubleshooting step is to determine whether Endpoint Security is the cause. If you areunable to follow the steps below, for example, if you can't clear the Load EndpointSecurity at startup box, contact Check Point technical support.To determine if Endpoint Security is the cause of connection problems:1. Select Overview|Preferences.2. In the General area, clear the check box Load Check Point Endpoint Security atstartup.A warning dialog labeled Check Point TrueVector Service opens.3. Click Yes.4. Restart your computer, then try to connect to the Internet.If you can connectIf you cannot connectYour Endpoint Security settings may be the cause ofyour connection problems. Make sure that yourbrowser has access permission. See x-ref to section.Your Endpoint Security settings are not the cause ofyour connection problems.Allowing ISP Heartbeat messagesInternet Service Providers (ISPs) periodically send heartbeat messages to theirconnected dial-up customers to make sure they are still there. If the ISP cannotUser Guide for Check Point Endpoint Security client 177

Appendix C:Connecting through an ICS clientdetermine that the customer is there, it might disconnect the customer so that the user’sIP address can be given to someone else.By default, Endpoint Security blocks the protocols most commonly used for theseheartbeat messages, which may cause you to be disconnected from the Internet. Toprevent this from happening, you can identify the server sending the messages and addit to your Trusted Zone or you can configure the Internet Zone to allow ping messages.Identifying the source of the heartbeat messagesThis is the preferred solution because it will work whether your ISP uses NetBIOS orICMP (Internet Control Messaging Protocol) to check your connection, and it allowsyou to maintain high security for the Internet Zone.To identify the server your ISP uses to check your connection:1. When your ISP disconnects you, click Alerts & Logs|Log Viewer.2. In the alerts list, find the alert that occurred at the time you were disconnected.3. In the Entry Detail area, note the Source DNS detected.If you’re not able to identify the server this way, contact your ISP to determine whichservers need access permission.4. After you have identified the server, add it to the Trusted Zone.See “Adding to the Trusted Zone,” on page 33.Configuring Endpoint Security to allow ping messagesIf your ISP uses ICMP echo (or ping) messages for connectivity checks, configureEndpoint Security to allow ping messages from the Internet Zone.To configure Endpoint Security to allow ping messages:1. Select Firewall|Main.2. In the Internet Zone area, click Custom.3. Select check box labeled Allow incoming ping (ICMP echo).4. Click OK.5. Set the security level for the Internet Zone to Medium.See “Choosing security levels,” on page 27.Connecting through an ICS clientIf you are using Windows’ Internet Connection Sharing (ICS) option, or a third-partyconnection sharing program, and you are unable to connect to the Internet, make sureUser Guide for Check Point Endpoint Security client 178

Appendix C:Connecting through a proxy serverthat Endpoint Security is properly configured for the client and gateway machines. See“Enabling Internet Connection Sharing,” on page 19.Do not configure Endpoint Security for Internet Connection Sharing if you usehardware such as a server or router, rather than a host PC.Connecting through a proxy serverIf you connect to the Internet through a proxy server and you are unable to connect tothe Internet, make sure that the IP address of your proxy server is in your TrustedZone.See “Adding to the Trusted Zone,” on page 33.User Guide for Check Point Endpoint Security client 179

Glossary1394A very fast external bus standard that supports data transfer rates of up to 400Mbps(in 1394a) and 800Mbps (in 1394b). Products supporting the 1394 standard go underdifferent names, depending on the company. Apple, which originally developed thetechnology, uses the trademarked name FireWire.ACCESS PERMISSIONAccess permission allows a program on your computer to initiate communicationswith another computer. This is distinct from server permission, which allows aprogram to “listen” for connection requests from other computers. You can give aprogram access permission for the Trusted Zone, the Internet Zone, or both.ACT AS A SERVERA program acts as a server when it “listens” for connection requests from othercomputers. Several common types of applications, such as chat programs, e-mailclients, and Internet Call Waiting programs, may need to act as servers to operateproperly. However, some hacker programs act as servers to listen for instructions fromtheir creators. Endpoint Security prevents programs on your computer from acting asservers unless you grant server permission.ACTIVEX CONTROLSActiveX controls (developed by Microsoft) are a set elements such as a check boxes orbuttons that offer options to users or run macros or scripts that automate a task.AD BLOCKINGA Endpoint Security feature that enables you to block banner, pop-up and other typesof advertisements.ADVANCED PROGRAM CONTROLAdvanced Program Control is an advanced security feature that tightens your securityby preventing unknown programs from using trusted programs to access the Internet.ALERTADVISORCheck Point AlertAdvisor is an online utility that enables you to instantly analyze thepossible causes of an alert, and helps you decide whether to respond Yes or No to aProgram alert. To use AlertAdvisor, click the More Info button in an alert pop-up.Endpoint Security sends information about your alert to AlertAdvisor. AlertAdvisorreturns an article that explains the alert and gives you advice on what, if anything, youUser Guide for Check Point Endpoint Security client 180

need to do to ensure your security.ANIMATED ADAn advertisement that incorporates moving images.BANNER ADAn ad that appears in a horizontal banner across a Web page.BLOCKED ZONEThe Blocked Zone contains computers you want no contact with. Endpoint Securityprevents any communication between your computer and the machines in this Zone.CACHE CLEANERPrivacy feature that enables you to remove unwanted files and cookies from yourcomputer on demand, or on a scheduled basis.COMPONENTA small program or set of functions that larger programs call on to perform specifictasks. Some components may be used by several different programs simultaneously.Windows operating systems provide many component DLLs (Dynamic LinkLibraries) for use by a variety of Windows applications.COMPONENT LEARNING MODEThe period after installation when program control is set to Medium. When incomponent learning mode, Endpoint Security can quickly learn the MD5 signatures ofmany frequently used components without interrupting your work with multiple alerts.COOKIEA small data file used by a Web site to customize content, remember you from one visitto the next, and/or track your Internet activity. While there are many benign uses ofcookies, some cookies can be used to divulge information about you without yourconsent.COOKIE CONTROLPrivacy feature that allows you to prevent cookies from being stored on yourcomputer.DHCP (DYNAMIC HOST CONFIGURATION PROTOCOL)A protocol used to support dynamic IP addressing. Rather than giving you a static IPaddress, your ISP may assign a different IP address to you each time you log on. Thisallows the provider to serve a large number of customers with a relatively small numberof IP addresses.DHCP (DYNAMIC HOST CONFIGURATION PROTOCOL) BROADCAST/MULTICASTA type of message used by a client computer on a network that uses dynamic IPaddressing. When the computer comes online, if it needs an IP address, it issues aUser Guide for Check Point Endpoint Security client 181

oadcast message to any DHCP servers which are on the network. When a DHCPserver receives the broadcast, it assigns an IP address to the computer.DIAL-UP CONNECTIONConnection to the Internet using a modem and an analog telephone line. The modemconnects to the Internet by dialing a telephone number at the Internet ServiceProvider’s site. This is in distinction to other connection methods, such as DigitalSubscriber Lines, that do not use analog modems and do not dial telephone numbers.DLL (DYNAMIC LINK LIBRARY)A library of functions that can be accessed dynamically (that is, as needed) by aWindows application.DNS (DOMAIN NAME SERVER)A data query service generally used on the Internet for translating host names ordomain names (like www.yoursite.com) into Internet addresses (like 123.456.789.0).EMBEDDED OBJECTAn object such as a sound file or an image file that is embedded in a Web page.ENDPOINT SECURITY SERVERAn endpoint security system by Check Point that enables systems administrators tomanage computer security from a single location. Administrators create securitypolicies, then deploy them to the Endpoint Security applications running on theirusers' computers.ENTERPRISE POLICYA collection of security settings (firewall, program control, e-mail protection, and soforth) designed by a network administrator and delivered to Endpoint Security byuploading from Endpoint Security Server. The endpoint user cannot change theenterprise policyGATEWAYIn networking, a combination of hardware and software that links two different typesof networks. For example, if you are on a home or business Local Area Network(LAN), a gateway enables the computers on your network to communicate with theInternet.HEARTBEAT MESSAGESMessages sent by an Internet Service Provider (ISP) to make that a dial-up connectionis still in use. If it appears a customer is not there, the ISP might disconnect her so thather IP address can be given to someone else.HIGH-RATED ALERTSAn alert that is likely to have been caused by hacker activity. High-rated Firewall alertsdisplay a red band at the top of the alert pop-up. In the Log Viewer, you can see if anUser Guide for Check Point Endpoint Security client 182

alert was high-rated by looking in the Rating column.HTTP REFERRER HEADER FIELDAn optional field in the message that opens a Web page, containing information aboutthe “referring document.” Properly used, this field helps Web masters administer theirsites. Improperly used, it can divulge your IP address, your workstation name, loginname, or even (in a poorly-implemented e-commerce site) your credit card number. Byselecting Remove Private Header information in the Cookies tab, you prevent thisheader field from transferring any information about you.ICMP (INTERNET CONTROL MESSAGING PROTOCOL)An extension of the Internet Protocol that supports error control and informationalmessages. The “ping” message is a common ICMP message used to test an Internetconnection.ICS (INTERNET CONNECTION SHARING)ICS is a service provided by the Windows operating system that enables networkedcomputers to share a single connection to the Internet.INDEX.DATIndex.dat files keep copies of everything that was in your Temporary Internet,Cookies, and History folders even AFTER these files have been deleted.INFORMATIONAL ALERTSThe type of alerts that appear when Endpoint Security blocks a communication thatdid not match your security settings. Informational alerts do not require a responsefrom you.INTERNET ZONEThe Internet Zone contains all the computers in the world—except those you haveadded to the Trusted Zone or Blocked Zone.Endpoint Security applies the strictest security to the Internet Zone, keeping you safefrom hackers. Meanwhile, the medium security settings of the Trusted Zone enableyou to communicate easily with the computers or networks you know and trust—forexample, your home network PCs, or your business network.IP ADDRESSThe number that identifies your computer on the Internet, as a telephone numberidentifies your phone on a telephone network. It is a numeric address, usually displayedas four numbers between 0 and 255, separated by periods. For example,172.16.100.100 could be an IP address.Your IP address may always be the same. However, your Internet Service Provider(ISPs) may use Dynamic Host Configuration Protocol (DHCP) to assign yourUser Guide for Check Point Endpoint Security client 183

computer a different IP address each time you connect to the Internet.ISP (INTERNET SERVICE PROVIDER)A company that provides access to the Internet. ISPs provide many kinds of Internetconnections to consumers and business, including dial-up (connection over a regulartelephone line with a modem), high-speed Digital Subscriber Lines (DSL), and cablemodem.JAVA APPLETA Java applet is a small Internet-based program written in Java, which is usuallyembedded in an HTML page, and which can be executed within a Web browser.JAVASCRIPTA popular scripting language that enables some of the most common interactivecontent on Web sites. Some of the most frequently used JavaScript functions includeBack and History links, changing images on mouse-over, and opening and closingbrowser windows. Endpoint Security default settings allow JavaScript because it is socommon and because most of its uses are harmless.MAIL SERVERThe remote computer from which the e-mail program on your computer retrieves e-mail messages sent to you.MD5 SIGNATUREA digital “fingerprint” used to verify the integrity of a file. If a file has been changedin any way (for example, if a program has been compromised by a hacker), its MD5signature will change as well.MEDIUM-RATED ALERTAn alert that was probably caused by harmless network activity, rather than by a hackerattack.MIME-TYPE INTEGRATED OBJECTAn object such as an image, sound file, or video file that is integrated into an e-mailmessage. MIME stands for Multipurpose Internet Mail Extensions.MOBILE CODEExecutable content that can be embedded in Web pages or HTML e-mail. Mobile codehelps make Web sites interactive, but malicious mobile code can be used to modify orsteal data, and for other malevolent purposes.MOBILE CODE CONTROLA Endpoint Security feature that enables you to block active controls and scripts onthe Web sites you visit. While mobile code is common on the Internet and has manyUser Guide for Check Point Endpoint Security client 184

enign uses, hackers can sometimes use it for malevolent purposes.NETBIOS (NETWORK BASIC INPUT/OUTPUT SYSTEM)A program that allows applications on different computers to communicate within alocal network. By default, Endpoint Security allows NetBIOS traffic in the TrustedZone, but blocks it in the Internet Zone. This enables file sharing on local networks,while protecting you from NetBIOS vulnerabilities on the Internet.PACKETA single unit of network traffic. On “packet-switched” networks like the Internet,outgoing messages are divided into small units, sent and routed to their destinations,then reassembled on the other end. Each packet includes the IP address of the sender,and the destination IP address and port number.PASS-LOCKWhen the Internet Lock is engaged, programs given pass-lock permission can continueaccessing the Internet. Access permission and server permission for all other programsis revoked until the lock is opened.PERSISTENT COOKIEA cookie put on your hard drive by a Web site you visit. These cookies can be retrievedby the Web site the next time you visit. While useful, they create a vulnerability bystoring information about you, your computer, or your Internet use in a text file.PERSONAL POLICYYour personal policy comprises all the security settings you can control through theEndpoint Security interface. For example, if you use the Zones tab to add a server tothe Trusted Zone, that configuration becomes part of your personal policy.PINGA type of ICMP message (formally “ICMP echo”) used to determine whether a specificcomputer is connected to the Internet. A small utility program sends a simple “echorequest” message to the destination IP address, and then waits for a response. If acomputer at that address receives the message, it sends an “echo” back. Some Internetproviders regularly “ping” their customers to see if they are still connected.POP-UNDER ADAn ad that appears in a new browser window that opens under the window you'relooking at, so you don't see the ad until you close the original browser window.POP-UP ADAn ad that appears in a new browser window that 'pops up' in front of the windowyou're looking at.PORTA channel associated with the use of TCP or UDP. Some ports are associatedUser Guide for Check Point Endpoint Security client 185

with standard network protocols; for example, HTTP (Hypertext TransferProtocol) is traditionally addressed to port 80. Port numbers range from 0 to65535.PORT SCANA technique hackers use to find unprotected computers on the Internet. Usingautomated tools, the hacker systematically scans the ports on all the computers in arange of IP addresses, looking for unprotected or “open” ports. Once an open port islocated, the hacker can use it as an access point to break in to the unprotectedcomputer.PRIVACY ADVISORA small display that shows you when Endpoint Security blocks cookies or mobile code,and enables you to un-block those elements for a particular page.PRIVATE HEADERA section of a Web page that contains information about the Web site, which cancollect information about visitors to the site. Private header information enables sitesyou visit by clicking a link from another site to know what site you came from. If a siteimplements the use of private headers carelessly, private headers can transferinformation that you’ve entered in a web form--for example, SS number, credit card,etc.).PRIVATE NETWORKA home or business Local Area Network (LAN). Private networks are placed in theTrusted Zone by default.PROGRAMS LISTThe list of programs to which you can assign Internet access and server permissions.The list is shown in the Programs tab of the Program Control panel. You can addprograms to the list, or remove programs from it.PROTOCOLA standardized format for sending and receiving data. Different protocols servedifferent purposes; for example SMTP (Simple Mail Transfer Protocol) is used forsending e-mail messages; while FTP (File Transfer Protocol) is used to send large filesof different types. Each protocol is associated with a specific port, for example, FTPmessages are addressed to port 21.PUBLIC NETWORKA large network, such as that associated with an ISP. Public networks are placed in theInternet Zone by default.QUARANTINEEndpoint Security's MailSafe quarantines incoming e-mail attachments whosefilename extensions (for example, .EXE or .BAT) indicate the possibility of auto-User Guide for Check Point Endpoint Security client 186

executing code. By changing the filename extension, quarantining prevents theattachment from opening without inspection. This helps protect you from worms,viruses, and other malware that hackers distribute as e-mail attachments.SCRIPTA series of commands that execute automatically, without the user intervening. Theseusually take the form of banners, menus that change when you move your mouse overthem, and popup ads.SECURITY LEVELSThe High, Med., and Low settings that dictate the type of traffic allowed into or out ofyour computer.SERVER PERMISSIONServer permission allows a program on your computer to “listen” for connectionrequests from other computers, in effect giving those computers the power to initiatecommunications with yours. This is distinct from access permission, which allows aprogram to initiate a communications session with another computer. Severalcommon types of applications, such as chat programs, e-mail clients, and Internet CallWaiting programs, may need server permission to operate properly. Grant serverpermission only to programs you're sure you trust, and that require it in order to work.If possible, avoid granting a program server permission for the Internet Zone. If youneed to accept incoming connections from only a small number of machines, addthose machines to the Trusted Zone, and then allow the program server permissionfor the Trusted Zone only.SESSION COOKIEA cookie stored in your browser’s memory cache that disappears as soon as you closeyour browser window. These are the safest cookies because of their short life-span.SKYSCRAPER ADAn ad that appears in a vertical column along the side of a Web page.STEALTH MODEWhen Endpoint Security puts your computer in stealth mode, any uninvited trafficreceives no response--not even an acknowledgement that your computer exists. Thisrenders your computer invisible to other computers on the Internet, until a permittedprogram on your computer initiates contact.TCP (TRANSMISSION CONTROL PROTOCOL)One of the main protocols in TCP/IP networks, which guarantees delivery of data,and that packets are delivered in the same order in which they were sent.THIRD PARTY COOKIEpersistent cookie that is placed on your computer, not by the Web site you are visiting,but by an advertiser or other \'third party.\' These cookies are commonly used toUser Guide for Check Point Endpoint Security client 187

deliver information about your Internet activity to that third party.TROJAN HORSEA malicious program that masquerades as something useful or harmless, such as ascreen saver. Some Trojan horses operate by setting themselves up as servers on yourcomputer, listening for connections from the outside. If a hacker succeeds incontacting the program, he can effectively take control of your computer. This is whyit's important to only give server permission to programs you know and trust. OtherTrojan horses attempt to contact a remote address automatically.TRUEVECTOR SECURITY ENGINEThe primary component of Endpoint Security security. It is the TrueVector enginethat examines Internet traffic and enforces security rules.TRUSTED ZONEThe Trusted Zone contains computers you trust want to share resources with.For example, if you have three home PCs that are linked together in an Ethernetnetwork, you can put each individual computer or the entire network adapter subnetin the Endpoint Security Trusted Zone. The Trusted Zone's default medium securitysettings enable you to safely share files, printers, and other resources over the homenetwork. Hackers are confined to the Internet Zone, where high security settings keepyou safe.UDP (USER DATAGRAM PROTOCOL)A connectionless protocol that runs on top of IP networks and is used primarily forbroadcasting messages over a network.WEB BUGAn image file, often 1x1 pixel, designed to monitor visits to the page (or HTML e-mail)containing it. Web bugs are used to find out what advertisements and Web pages youhave viewed.User Guide for Check Point Endpoint Security client 188

TMSmarter Security

IndexAaccess permissionand antivirus software 83browser software and 83e-mail programs and 84for Trusted Zone 10FTP programs and 86games and 86granting to programs 22, 68password and 73setting for ports 36act as server 10defined 180ad blockingabout 117addingcustom ports 36networks to the Trusted Zone 31programs to the programs list 76to the Blocked Zone 34to the Trusted Zone 33Address Resolution Protocol, enabling 30Advanced Program alert 161adware 110AlertAdvisor 151about 149browser permission and 160defined 180alertshigh-rated 151Informational 151Internet Lock 153logging of 139medium-rated 151preferences for 72ProgramAdvanced Program alert 161Automatic VPN Configuration alert 20, 162Blocked Program 152Changed Program alert 68, 69, 157Manual Action Required alert 162New Program 156Repeat Program alert 68, 144Server Program alert 68, 84, 144, 153reference 150–164responding to 11, 20, 69, 76animated adsblocking 118filling void left by 126answering machine programs 85antivirus protectionstatus, viewing 111antivirus software 83AOLInstant Messenger, using 84Privacy Site List and 123Application Interaction Control 70archive filesviruses and 103Authenticating Header (AH) Protocol 20authenticating programs 68AutoComplete forms, clearing data see Cache Cleanerautomatic lockenabling 71setting options for 71Automatic VPN Configuration alert 162Bbanner adsblocking 118filling void left by 126Blocked Intrusions area 8Blocked Program alert 152Blocked Zoneabout 9adding to 34blockingads 126–127cookies 124–125embedded objects 128executable URLs 165file transfers 165packet fragments 30ports 35programs 30, 72–80scripts 128video transmission 165browser cache, cleaning 131browser help object 110browser software, using 83User Guide for Check Point Endpoint Security client 190

CCache Cleaner 129–132about 129browser cleaning options, setting 130–132hard drive cleaning options, setting 129running manually 129cache cleanerabout 117Changed Program alert 68, 69, 157Changes Frequently 76chat programsServer Program alert and 84using 84color-scheme, changing 14componentsauthenticating 68, 70managing 81MD5 signature of 70VPN-related 20Components List 81Control Center,overview 6cookie controlabout 117cookies 110blocking 117, 124–125keeping and removing 130setting an expiration date for 125CreateProcess function 70custom ports, adding 36Ddeep-inspection scan 98dialer 110disconnected policy 135display preferences, setting 13Domain Name Server (DNS)defined 182outgoing messagesdefault port permissions for 35required VPN resources 21troubleshooting Internet connection 178Dynamic Host Configuration Protocol (DHCP) messagesdefault port permissions for 35remote control programs and 87Ee-mail protection 112–115about 113outbound 113embedded objects, blocking 128Encapsulating Security Payload (ESP) protocolVPN protocols and 20, 30Endpoint Security 2file sharing programs and 85FTP programs and 85installing 1–2policies and 134enterprise policy 135Eudora 113, 114event loggingabout 139customizing 143turning on and off 141expiration datesetting for cookies 125Ffile and printer sharingenabling 18network security and 31server access and 160troubleshooting 85file fragments, removing see Cache Cleaner 130file transfer, blocking 165filter options, setting 79Firewall alertdetermining source of 151logging of 143responding to 151firewall protection 25about 26advanced security options 29–34blocking and unblocking ports 35setting security level for 27–28FireWire 30formatting log file 143forms data, removing from cache see Cache Cleanerfragments, blocking 30FTPprograms, using 85full system scan 98Ggamesusing with Endpoint Security 86–87gatewayadding to the Trusted Zone 33forwarding or suppressing alerts 29Internet Connection Sharing (ICS) and 19default port permissions 35security enforcement of 29Generic Routing Encapsulation (GRE) protocolmentioned 30VPN protocols and 20, 22Hhard drive, cleaning 129User Guide for Check Point Endpoint Security client 191

harmful links, removing 165heartbeat messagesallowing 177defined 182dial-up connection, troubleshooting 178High security settingabout 9ad blocking and 118alert events shown in 141allowing uncommon protocols 22cookie control 118default port permissions in 35–36file and printer sharing 18firewall protection and 27for Internet Zone 27for Trusted Zone 27logging options and 141privacy protection and 118program control and 70High security settingsallow uncommon protocols 30high-rated alerts 151home networkFirewall alerts and 151host nameadding to Trusted Zone 34, 176and computer startup 176in list of traffic sources 32in Privacy Site list 123hosts file, locking 30Iie3.proxy.aol.com 123IGMPdefault port permissions for 35index.dat files, removing see Cache Cleanerinfected filesrisk assessment of 101, 107Informational alerts 151Installation Alert 4installing Endpoint Security 1–2Integrity client softwareloading at startup 14Intelligent quick scan 98Internet Connection Sharing (ICS)enabling 19setting security options for 29Internet Control Messaging Protocol (ICMP)default port permissions for 35troubleshooting Internet connection 178Internet Explorercache, cleaning 131granting access permission to 83privacy protection and 118setting cleaning options for 130Internet Key Exchange (IKE) protocolVPN protocols and 20Internet Lock alerts 153Internet servers, blocking 30Internet Service Provider (ISP)heartbeat messages from 177in alert details 139in list of traffic sources 32Internet Zoneadding networks to automatically 31networks, adding to automatically 16permissions and 10IP addressadding to the Trusted Zone 18, 33determining network type from 16hiding in submissions to Check Point 14in list of traffic sources 32Lookup button and 34IP Security (IPSec) protocolVPN protocols and 20JJava applets, blocking 128Juno 113, 114Kkeeping cookies 131key symbol 77keyboard shortcuts 166–170keylogger 110LLayer 2 Tunneling protocol (L2TP)VPN protocols and 20learning mode 70Lightweight Directory Access protocol (LDAP)VPN protocols and 20local servers, blocking 30lock iconin programs list 77lock mode, specifying 71log entriesabout 139archiving 147–148fields in 147for Program alerts 143for programs 143formatting 143options for 143viewing 144, 146Log Vieweraccessing 144fields in 145loopback adaptoradding to the Trusted Zone 20User Guide for Check Point Endpoint Security client 192

Low security settingChanges Frequently option 76default port permissions for 35–36file and printer sharing and 27learning mode 71program control and 71Zones and 27lsass.exe 11Mmail servers, connecting to 18mail trash, cleaning see Cache CleanerMailSafe alert 152MD5 Signature 70, 76defined 184Medium security settingabout 9ad blocking and 118alert events 141alerts and 151, 159cookie control and 124customizing 10default port permissions for 35–36file and printer sharing and 18Internet Zone and 27, 85, 178learning mode 70logging options and 141networking and 18port access and 36privacy protection and 118program control and 70, 85resource sharing and 176Trusted Zone and 27, 33, 175uncommon protocols and 30medium-rated alerts 151Microsoft Outlook 113, 114Microsoft Outlook Express 113, 114mime-type integrated objectsblocking 128defined 184mobile code controlabout 117customizing 123, 128More Info button 149, 160keyboard shortcut for 168, 171NNetBIOSdefault port permissions for 35defined 185firewall alerts and 151heartbeat messages and 178High security setting and 27network visibility and 175Netscapecache, cleaning 131e-mail protection and 113, 114removing cookies 132setting cleaning options for 130version 4.73 84Network Configuration Wizardabout 16disabling 17network resources, sharing 16network security options, setting 31network settingssetting 31New Program alert 156OOpenGLand system crash 86OpenProcess 78OpenProcess function 70Outbound MailSafe protectioncustomizing 114–115enabling 113Outbound Protection area 8Ppacketdefined 185source ofdetermining 147types, blocking 30pass-lock permissiongranting to a program 77icon for 76passwordcreating 13Program Control and 73, 79VNCviewer and 88passwordsclearing from cache 131creating 13Pegasus Mail 113, 114pencil icon 122permissionpass-lock 71server 10persistent cookiesblocking 124setting an expiration date for 125personal policy 135ping messagesallowing in Internet Zone 178and alerts 151default port permissions for 35Point-to-Point Tunneling Protocol (PPTP)VPN protocols and 20User Guide for Check Point Endpoint Security client 193

Policies 134Policies panel 137policy arbitration 136ports1394 30adding 36blocking and unblocking 35–36default permissions for 35firewall protection and 26High security setting and 27ports_adding_custom 36preferencesfor firewall protection 29for Program Control 72keyboard shortcut 170load at startup 177preferences, setting 13printers see network resources, sharingPrivacy Advisorusing 120Privacy Protectionad blockingcustomizing 126–127setting level for 118Cache Cleaner 129–132running manually 129cookie control 124–125customizing 124–125setting level for 118enabling per program 118mobile code controlcustomizing 128enabling and disabling 118setting levels for 118Privacy Site Listaccessing 121ad blocking software and 122adding Web sites to 122AOL and 123Privacy site List 121private networkdefined 186Network Configuration Wizard and 16virtual see Virtual Private Network (VPN)Program alerts 156–162program authentication 68Program Component alert 158program componentsmanaging 81–82Program Control 67–87about 68customizing 73Internet Lock and 71Medium security setting and 70setting level for 70Zones and 10programsadding to the programs List 76programs listaccessing 74adding and removing programs 76symbols used in 75protocolsdefault permissions for 35firewall protection and 30in expert rules 30mail 18VPN 20, 22proxy serveradding to the Trusted Zone 17troubleshooting Internet Connection 177public networkdefined 186Network Configuration Wizard and 16Rrange of IP addressesadding to the Trusted Zone 33remote access programstroubleshooting 14remote host computersVPN configuration and 21Repeat Program alert 68, 157logging options and 144responding to alerts 11, 20, 69, 139risk assessment of infections 101, 107Sscanning for viruses 100–103schedule scans 90screenlogger 110scripts, blocking 128send mail permission 78Outbound MailSafe protection and 113server permissionalerts and 159chat programs and 84column in programs list 76default for traffic types 35e-mail programs and 84file sharing programs and 85games and 86granting to programs 77Program access control and 68streaming media programs and 88Voice Over Internet programs and 88Zones and 10Server Program alert 68, 72, 84, 153logging options and 144services.exe 11session cookiesblocking 124High security setting and 118SKIP 20User Guide for Check Point Endpoint Security client 194

skyscraper adsfilling void left by 126software rendering mode 86sourcekeeping cookies from a 130of traffic, determining 32, 139spoolsv.exe 11spy cookie 110spywarescanning for 98types of 110Status tab 8stealth modedefined 187High security setting and 27subnetadding to the Trusted Zone 33entry type 32VPN configuration and 21svchost.exe 11Tthird-party cookies, blocking 124traffic sourcesdefault port permissions for 35list of 32managing 32Transmission Control Protocol (TCP)default port permission for 35treating viruses 95Trojan 68Trojan horse 68, 110e-mail protection and 113Program Control and 77protecting Endpoint Security from 73Troubleshooting 172–179TrueVector security engine 73, 177Trusted Zoneadding networks to automatically 31adding to 33Internet Connection Sharing (ICS) and 19networks, adding to automatically 16permissions and 10proxy server, adding to 17VPN resources, adding to 20Virtual Private Network (VPN)alerts 20, 162Automatic Configuration alert 162configuring connection 20–22, 173Manual Action Required alert 162troubleshooting connection 173virusesand archive files 103scanning for 100–103treating 95, 102updating signature files 91WWindows Firewalldisable 30Windows Mediaclearing history 130winlogon.exe 11worm 110ZZonesabout 9adding to 33–34firewall protection and 32keyboard shortcuts 167UUDPdefault port permissions for 35uncommon protocolsallow 30URL history, cleaning see Cache CleanerVvideo transmission, blocking 165User Guide for Check Point Endpoint Security client 195